diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index 8b1a26b9..1b02e62b 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -1,5 +1,5 @@ # T1003.001 - LSASS Memory -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/001)
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550). As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md index e8ed8862..38e29b1d 100644 --- a/atomics/T1003.002/T1003.002.md +++ b/atomics/T1003.002/T1003.002.md @@ -1,5 +1,5 @@ # T1003.002 - Security Account Manager -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/002)
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access. A number of tools can be used to retrieve the SAM file through in-memory techniques: diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md index f6f5c581..de914e10 100644 --- a/atomics/T1003.003/T1003.003.md +++ b/atomics/T1003.003/T1003.003.md @@ -1,5 +1,5 @@ # T1003.003 - NTDS -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/003)
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory) In addition to looking NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015) diff --git a/atomics/T1003.004/T1003.004.md b/atomics/T1003.004/T1003.004.md index 9af7da85..244802ff 100644 --- a/atomics/T1003.004/T1003.004.md +++ b/atomics/T1003.004/T1003.004.md @@ -1,5 +1,5 @@ # T1003.004 - LSA Secrets -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/004)
Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets) [Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)
diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index f86d38f3..4baa2fc7 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -1,5 +1,5 @@ # T1003 - OS Credential Dumping -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003)
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well. diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md index 0655cf80..d08caf66 100644 --- a/atomics/T1007/T1007.md +++ b/atomics/T1007/T1007.md @@ -1,5 +1,5 @@ # T1007 - System Service Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1007) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1007)
Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
## Atomic Tests diff --git a/atomics/T1010/T1010.md b/atomics/T1010/T1010.md index c06374c5..c8263dd5 100644 --- a/atomics/T1010/T1010.md +++ b/atomics/T1010/T1010.md @@ -1,5 +1,5 @@ # T1010 - Application Window Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1010) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1010)
Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
## Atomic Tests diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md index 779cc6bc..441e91ce 100644 --- a/atomics/T1012/T1012.md +++ b/atomics/T1012/T1012.md @@ -1,5 +1,5 @@ # T1012 - Query Registry -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1012) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1012)
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md index e39beb08..09b77975 100644 --- a/atomics/T1014/T1014.md +++ b/atomics/T1014/T1014.md @@ -1,5 +1,5 @@ # T1014 - Rootkit -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1014) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1014)
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index b1834db6..4078350d 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -1,5 +1,5 @@ # T1016 - System Network Configuration Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1016) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016)
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103). Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index acf3f2de..8a1f959d 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -1,5 +1,5 @@ # T1018 - Remote System Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1018) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1018)
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain. diff --git a/atomics/T1020/T1020.md b/atomics/T1020/T1020.md index e4f89f97..697f4045 100644 --- a/atomics/T1020/T1020.md +++ b/atomics/T1020/T1020.md @@ -1,5 +1,5 @@ # T1020 - Automated Exfiltration -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1020) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1020)
Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).
diff --git a/atomics/T1021.001/T1021.001.md b/atomics/T1021.001/T1021.001.md index 34e99349..6915ac4b 100644 --- a/atomics/T1021.001/T1021.001.md +++ b/atomics/T1021.001/T1021.001.md @@ -1,5 +1,5 @@ # T1021.001 - Remote Desktop Protocol -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1021.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/001)
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) diff --git a/atomics/T1021.002/T1021.002.md b/atomics/T1021.002/T1021.002.md index b5574c34..05a5a042 100644 --- a/atomics/T1021.002/T1021.002.md +++ b/atomics/T1021.002/T1021.002.md @@ -1,5 +1,5 @@ # T1021.002 - SMB/Windows Admin Shares -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1021.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/002)
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba. diff --git a/atomics/T1021.003/T1021.003.md b/atomics/T1021.003/T1021.003.md index e26fc2e4..2ddef964 100644 --- a/atomics/T1021.003/T1021.003.md +++ b/atomics/T1021.003/T1021.003.md @@ -1,5 +1,5 @@ # T1021.003 - Distributed Component Object Model -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1021.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/003)
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user. The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM) diff --git a/atomics/T1021.006/T1021.006.md b/atomics/T1021.006/T1021.006.md index 0c9c2aef..9dca5875 100644 --- a/atomics/T1021.006/T1021.006.md +++ b/atomics/T1021.006/T1021.006.md @@ -1,5 +1,5 @@ # T1021.006 - Windows Remote Management -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1021.006) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/006)
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014)
diff --git a/atomics/T1027.001/T1027.001.md b/atomics/T1027.001/T1027.001.md index 4659afd9..f7e9f706 100644 --- a/atomics/T1027.001/T1027.001.md +++ b/atomics/T1027.001/T1027.001.md @@ -1,5 +1,5 @@ # T1027.001 - Binary Padding -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/001)
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)
diff --git a/atomics/T1027.002/T1027.002.md b/atomics/T1027.002/T1027.002.md index 39d0b248..4a353029 100644 --- a/atomics/T1027.002/T1027.002.md +++ b/atomics/T1027.002/T1027.002.md @@ -1,5 +1,5 @@ # T1027.002 - Software Packing -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/002)
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
diff --git a/atomics/T1027.004/T1027.004.md b/atomics/T1027.004/T1027.004.md index 48fd470e..c5d39e0b 100644 --- a/atomics/T1027.004/T1027.004.md +++ b/atomics/T1027.004/T1027.004.md @@ -1,5 +1,5 @@ # T1027.004 - Compile After Delivery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/004)
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018) Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index 042692fc..1de5b50f 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -1,5 +1,5 @@ # T1027 - Obfuscated Files or Information -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027)
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md index da70edee..b4b80de2 100644 --- a/atomics/T1030/T1030.md +++ b/atomics/T1030/T1030.md @@ -1,5 +1,5 @@ # T1030 - Data Transfer Size Limits -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1030) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1030)
An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
## Atomic Tests diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index b4dbc359..01000298 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -1,5 +1,5 @@ # T1033 - System Owner/User Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1033) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1033)
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.
diff --git a/atomics/T1036.003/T1036.003.md b/atomics/T1036.003/T1036.003.md index 9638cefa..2c0433f8 100644 --- a/atomics/T1036.003/T1036.003.md +++ b/atomics/T1036.003/T1036.003.md @@ -1,5 +1,5 @@ # T1036.003 - Rename System Utilities -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1036.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/003)
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
## Atomic Tests diff --git a/atomics/T1036.006/T1036.006.md b/atomics/T1036.006/T1036.006.md index 33f7d0bf..e8191189 100644 --- a/atomics/T1036.006/T1036.006.md +++ b/atomics/T1036.006/T1036.006.md @@ -1,5 +1,5 @@ # T1036.006 - Space after Filename -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1036.006) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/006)
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back). diff --git a/atomics/T1037.001/T1037.001.md b/atomics/T1037.001/T1037.001.md index 9b432fb4..c1163486 100644 --- a/atomics/T1037.001/T1037.001.md +++ b/atomics/T1037.001/T1037.001.md @@ -1,5 +1,5 @@ # T1037.001 - Logon Script (Windows) -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/001)
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts) Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
diff --git a/atomics/T1037.002/T1037.002.md b/atomics/T1037.002/T1037.002.md index 1e2edb20..b5745668 100644 --- a/atomics/T1037.002/T1037.002.md +++ b/atomics/T1037.002/T1037.002.md @@ -1,5 +1,5 @@ # T1037.002 - Logon Script (Mac) -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/002)
Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), a login hook executes as the elevated root user.(Citation: creating login hook) Adversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary.
diff --git a/atomics/T1037.004/T1037.004.md b/atomics/T1037.004/T1037.004.md index 9d850303..47a0a4c9 100644 --- a/atomics/T1037.004/T1037.004.md +++ b/atomics/T1037.004/T1037.004.md @@ -1,5 +1,5 @@ # T1037.004 - Rc.common -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/004)
Adversaries may use rc.common automatically executed at boot initialization to establish persistence. During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated mechanism in favor of [Launch Agent](https://attack.mitre.org/techniques/T1543/001) and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) but is currently still used. Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user. (Citation: Methods of Mac Malware Persistence)
diff --git a/atomics/T1037.005/T1037.005.md b/atomics/T1037.005/T1037.005.md index 4d23936c..808ac4eb 100644 --- a/atomics/T1037.005/T1037.005.md +++ b/atomics/T1037.005/T1037.005.md @@ -1,5 +1,5 @@ # T1037.005 - Startup Items -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037.005) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/005)
Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. (Citation: Startup Items) This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory. diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md index 09551825..d3962a87 100644 --- a/atomics/T1040/T1040.md +++ b/atomics/T1040/T1040.md @@ -1,5 +1,5 @@ # T1040 - Network Sniffing -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1040) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1040)
Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md index 76b28f50..822ea376 100644 --- a/atomics/T1046/T1046.md +++ b/atomics/T1046/T1046.md @@ -1,5 +1,5 @@ # T1046 - Network Service Scanning -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1046) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1046)
Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md index 8838d470..7f800193 100644 --- a/atomics/T1047/T1047.md +++ b/atomics/T1047/T1047.md @@ -1,5 +1,5 @@ # T1047 - Windows Management Instrumentation -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1047) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1047)
Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
diff --git a/atomics/T1048.003/T1048.003.md b/atomics/T1048.003/T1048.003.md index 3f0ddd2f..24e8c2e9 100644 --- a/atomics/T1048.003/T1048.003.md +++ b/atomics/T1048.003/T1048.003.md @@ -1,5 +1,5 @@ # T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1048.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1048/003)
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.
diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md index 5b6976e0..6e6ecf17 100644 --- a/atomics/T1048/T1048.md +++ b/atomics/T1048/T1048.md @@ -1,5 +1,5 @@ # T1048 - Exfiltration Over Alternative Protocol -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1048) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1048)
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. diff --git a/atomics/T1049/T1049.md b/atomics/T1049/T1049.md index ed8d109a..a1b312df 100644 --- a/atomics/T1049/T1049.md +++ b/atomics/T1049/T1049.md @@ -1,5 +1,5 @@ # T1049 - System Network Connections Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1049) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1049)
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) diff --git a/atomics/T1053.001/T1053.001.md b/atomics/T1053.001/T1053.001.md index 09b7640f..03205105 100644 --- a/atomics/T1053.001/T1053.001.md +++ b/atomics/T1053.001/T1053.001.md @@ -1,5 +1,5 @@ # T1053.001 - At (Linux) -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/001)
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux) An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.
diff --git a/atomics/T1053.002/T1053.002.md b/atomics/T1053.002/T1053.002.md index 5f15c4ee..63774d6d 100644 --- a/atomics/T1053.002/T1053.002.md +++ b/atomics/T1053.002/T1053.002.md @@ -1,5 +1,5 @@ # T1053.002 - At (Windows) -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/002)
Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. An adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM). diff --git a/atomics/T1053.003/T1053.003.md b/atomics/T1053.003/T1053.003.md index 12d8bab5..b0fe3386 100644 --- a/atomics/T1053.003/T1053.003.md +++ b/atomics/T1053.003/T1053.003.md @@ -1,5 +1,5 @@ # T1053.003 - Cron -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/003)
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths. An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. cron can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.
diff --git a/atomics/T1053.004/T1053.004.md b/atomics/T1053.004/T1053.004.md index 432008e0..14817e59 100644 --- a/atomics/T1053.004/T1053.004.md +++ b/atomics/T1053.004/T1053.004.md @@ -1,5 +1,5 @@ # T1053.004 - Launchd -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/004)
Adversaries may abuse the Launchd daemon to perform task scheduling for initial or recurring execution of malicious code. The launchd daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence). An adversary may use the launchd daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. launchd can also be abused to run a process under the context of a specified account. Daemons, such as launchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in.
diff --git a/atomics/T1053.005/T1053.005.md b/atomics/T1053.005/T1053.005.md index 42f5c83b..73433250 100644 --- a/atomics/T1053.005/T1053.005.md +++ b/atomics/T1053.005/T1053.005.md @@ -1,5 +1,5 @@ # T1053.005 - Scheduled Task -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053.005) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/005)
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel. diff --git a/atomics/T1055.004/T1055.004.md b/atomics/T1055.004/T1055.004.md index 02e61e8e..9b71ca04 100644 --- a/atomics/T1055.004/T1055.004.md +++ b/atomics/T1055.004/T1055.004.md @@ -1,5 +1,5 @@ # T1055.004 - Asynchronous Procedure Call -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1055.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1055/004)
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. APC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). diff --git a/atomics/T1055.012/T1055.012.md b/atomics/T1055.012/T1055.012.md index c15e3e54..4cd266ca 100644 --- a/atomics/T1055.012/T1055.012.md +++ b/atomics/T1055.012/T1055.012.md @@ -1,5 +1,5 @@ # T1055.012 - Process Hollowing -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1055.012) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1055/012)
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Endgame Process Injection July 2017) diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index 190ea173..30321a38 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -1,5 +1,5 @@ # T1055 - Process Injection -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1055) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1055)
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md index bb770353..c1e605f5 100644 --- a/atomics/T1056.001/T1056.001.md +++ b/atomics/T1056.001/T1056.001.md @@ -1,5 +1,5 @@ # T1056.001 - Keylogging -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1056.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1056/001)
Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include: diff --git a/atomics/T1056.002/T1056.002.md b/atomics/T1056.002/T1056.002.md index 038d411f..2a4d379f 100644 --- a/atomics/T1056.002/T1056.002.md +++ b/atomics/T1056.002/T1056.002.md @@ -1,5 +1,5 @@ # T1056.002 - GUI Input Capture -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1056.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1056/002)
Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)). Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015).
diff --git a/atomics/T1056.004/T1056.004.md b/atomics/T1056.004/T1056.004.md index 448ac094..a0ff008a 100644 --- a/atomics/T1056.004/T1056.004.md +++ b/atomics/T1056.004/T1056.004.md @@ -1,5 +1,5 @@ # T1056.004 - Credential API Hooking -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1056.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1056/004)
Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via: * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Endgame Process Injection July 2017) diff --git a/atomics/T1057/T1057.md b/atomics/T1057/T1057.md index b860e1a8..0457a658 100644 --- a/atomics/T1057/T1057.md +++ b/atomics/T1057/T1057.md @@ -1,5 +1,5 @@ # T1057 - Process Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1057) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1057)
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.
diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md index 34b1bff7..ebbf5afe 100644 --- a/atomics/T1059.001/T1059.001.md +++ b/atomics/T1059.001/T1059.001.md @@ -1,5 +1,5 @@ # T1059.001 - PowerShell -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/001)
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. diff --git a/atomics/T1059.002/T1059.002.md b/atomics/T1059.002/T1059.002.md index 7627617d..aa4127f1 100644 --- a/atomics/T1059.002/T1059.002.md +++ b/atomics/T1059.002/T1059.002.md @@ -1,5 +1,5 @@ # T1059.002 - AppleScript -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/002)
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. (Citation: Apple AppleScript) These AppleEvent messages can be easily scripted with AppleScript for local or remote execution. osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md index 173b0b36..6c5c879f 100644 --- a/atomics/T1059.003/T1059.003.md +++ b/atomics/T1059.003/T1059.003.md @@ -1,5 +1,5 @@ # T1059.003 - Windows Command Shell -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/003)
Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd.exe) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems. diff --git a/atomics/T1059.004/T1059.004.md b/atomics/T1059.004/T1059.004.md index 1e6a7d7a..1b5be0f8 100644 --- a/atomics/T1059.004/T1059.004.md +++ b/atomics/T1059.004/T1059.004.md @@ -1,5 +1,5 @@ # T1059.004 - Unix Shell -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/004)
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md index 6df67669..65026823 100644 --- a/atomics/T1059.005/T1059.005.md +++ b/atomics/T1059.005/T1059.005.md @@ -1,5 +1,5 @@ # T1059.005 - Visual Basic -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059.005) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/005)
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) diff --git a/atomics/T1069.001/T1069.001.md b/atomics/T1069.001/T1069.001.md index 72a332f5..55a48f28 100644 --- a/atomics/T1069.001/T1069.001.md +++ b/atomics/T1069.001/T1069.001.md @@ -1,5 +1,5 @@ # T1069.001 - Local Groups -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1069.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1069/001)
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. Commands such as net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups.
diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index 16975068..11a224f7 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -1,5 +1,5 @@ # T1069.002 - Domain Groups -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1069.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1069/002)
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. Commands such as net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.
diff --git a/atomics/T1070.001/T1070.001.md b/atomics/T1070.001/T1070.001.md index 02958f4f..affa9a86 100644 --- a/atomics/T1070.001/T1070.001.md +++ b/atomics/T1070.001/T1070.001.md @@ -1,5 +1,5 @@ # T1070.001 - Clear Windows Event Logs -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/001)
Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. The event logs can be cleared with the following utility commands: diff --git a/atomics/T1070.002/T1070.002.md b/atomics/T1070.002/T1070.002.md index 75b5f4e1..9600f758 100644 --- a/atomics/T1070.002/T1070.002.md +++ b/atomics/T1070.002/T1070.002.md @@ -1,5 +1,5 @@ # T1070.002 - Clear Linux or Mac System Logs -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/002)
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs) * /var/log/messages:: General and system-related messages diff --git a/atomics/T1070.003/T1070.003.md b/atomics/T1070.003/T1070.003.md index 50788c59..6b35edff 100644 --- a/atomics/T1070.003/T1070.003.md +++ b/atomics/T1070.003/T1070.003.md @@ -1,5 +1,5 @@ # T1070.003 - Clear Command History -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/003)
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. diff --git a/atomics/T1070.004/T1070.004.md b/atomics/T1070.004/T1070.004.md index edfd9ebd..1f0f4f71 100644 --- a/atomics/T1070.004/T1070.004.md +++ b/atomics/T1070.004/T1070.004.md @@ -1,5 +1,5 @@ # T1070.004 - File Deletion -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/004)
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)
diff --git a/atomics/T1070.005/T1070.005.md b/atomics/T1070.005/T1070.005.md index e0be0d89..39a10b53 100644 --- a/atomics/T1070.005/T1070.005.md +++ b/atomics/T1070.005/T1070.005.md @@ -1,5 +1,5 @@ # T1070.005 - Network Share Connection Removal -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.005) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/005)
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. (Citation: Technet Net Use)
## Atomic Tests diff --git a/atomics/T1070.006/T1070.006.md b/atomics/T1070.006/T1070.006.md index 113c7bb5..224f3a98 100644 --- a/atomics/T1070.006/T1070.006.md +++ b/atomics/T1070.006/T1070.006.md @@ -1,5 +1,5 @@ # T1070.006 - Timestomp -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.006) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/006)
Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md index 53bc1937..dac80b5c 100644 --- a/atomics/T1070/T1070.md +++ b/atomics/T1070/T1070.md @@ -1,5 +1,5 @@ # T1070 - Indicator Removal on Host -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070)
Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/*. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
diff --git a/atomics/T1071.001/T1071.001.md b/atomics/T1071.001/T1071.001.md index f9c667ee..f1ba954c 100644 --- a/atomics/T1071.001/T1071.001.md +++ b/atomics/T1071.001/T1071.001.md @@ -1,5 +1,5 @@ # T1071.001 - Web Protocols -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1071.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1071/001)
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
diff --git a/atomics/T1071.004/T1071.004.md b/atomics/T1071.004/T1071.004.md index f2d87579..22de47a9 100644 --- a/atomics/T1071.004/T1071.004.md +++ b/atomics/T1071.004/T1071.004.md @@ -1,5 +1,5 @@ # T1071.004 - DNS -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1071.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1071/004)
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)
diff --git a/atomics/T1074.001/T1074.001.md b/atomics/T1074.001/T1074.001.md index 2434fbbf..87f04803 100644 --- a/atomics/T1074.001/T1074.001.md +++ b/atomics/T1074.001/T1074.001.md @@ -1,5 +1,5 @@ # T1074.001 - Local Data Staging -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1074.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1074/001)
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
## Atomic Tests diff --git a/atomics/T1078.001/T1078.001.md b/atomics/T1078.001/T1078.001.md index 6714cbcf..521e4d90 100644 --- a/atomics/T1078.001/T1078.001.md +++ b/atomics/T1078.001/T1078.001.md @@ -1,5 +1,5 @@ # T1078.001 - Default Accounts -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1078.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1078/001)
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.(Citation: Microsoft Local Accounts Feb 2019) Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)
diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index ded38342..4336ddda 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -1,5 +1,5 @@ # T1082 - System Information Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1082) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1082)
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges. diff --git a/atomics/T1083/T1083.md b/atomics/T1083/T1083.md index 40d05ee0..a50dbcfe 100644 --- a/atomics/T1083/T1083.md +++ b/atomics/T1083/T1083.md @@ -1,5 +1,5 @@ # T1083 - File and Directory Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1083) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1083)
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).
diff --git a/atomics/T1087.001/T1087.001.md b/atomics/T1087.001/T1087.001.md index a3a9de95..7bf13c1d 100644 --- a/atomics/T1087.001/T1087.001.md +++ b/atomics/T1087.001/T1087.001.md @@ -1,5 +1,5 @@ # T1087.001 - Local Account -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1087.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1087/001)
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. Commands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file.
diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index 345a012b..7754e432 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -1,5 +1,5 @@ # T1087.002 - Domain Account -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1087.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1087/002)
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior. Commands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.
diff --git a/atomics/T1090.001/T1090.001.md b/atomics/T1090.001/T1090.001.md index 80d44440..3559cb9e 100644 --- a/atomics/T1090.001/T1090.001.md +++ b/atomics/T1090.001/T1090.001.md @@ -1,5 +1,5 @@ # T1090.001 - Internal Proxy -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1090.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1090/001)
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment. By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.
diff --git a/atomics/T1095/T1095.md b/atomics/T1095/T1095.md index b100d29b..4c42e643 100644 --- a/atomics/T1095/T1095.md +++ b/atomics/T1095/T1095.md @@ -1,5 +1,5 @@ # T1095 - Non-Application Layer Protocol -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1095) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1095)
Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md index 92953a53..221f8feb 100644 --- a/atomics/T1098/T1098.md +++ b/atomics/T1098/T1098.md @@ -1,5 +1,5 @@ # T1098 - Account Manipulation -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1098) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1098)
Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.
## Atomic Tests diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index 3d15c234..fc154f30 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -1,5 +1,5 @@ # T1105 - Ingress Tool Transfer -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1105) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1105)
Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
## Atomic Tests diff --git a/atomics/T1106/T1106.md b/atomics/T1106/T1106.md index 6f1628be..6e9899b7 100644 --- a/atomics/T1106/T1106.md +++ b/atomics/T1106/T1106.md @@ -1,5 +1,5 @@ # T1106 - Native API -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1106) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1106)
Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md index 28bb7b27..9d413cf2 100644 --- a/atomics/T1110.001/T1110.001.md +++ b/atomics/T1110.001/T1110.001.md @@ -1,5 +1,5 @@ # T1110.001 - Password Guessing -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1110.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1110/001)
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts. Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver) diff --git a/atomics/T1110.002/T1110.002.md b/atomics/T1110.002/T1110.002.md index fadb45e8..d2184605 100644 --- a/atomics/T1110.002/T1110.002.md +++ b/atomics/T1110.002/T1110.002.md @@ -1,5 +1,5 @@ # T1110.002 - Password Cracking -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1110.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1110/002)
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.
## Atomic Tests diff --git a/atomics/T1110.003/T1110.003.md b/atomics/T1110.003/T1110.003.md index 811eacfa..e5eae09d 100644 --- a/atomics/T1110.003/T1110.003.md +++ b/atomics/T1110.003/T1110.003.md @@ -1,5 +1,5 @@ # T1110.003 - Password Spraying -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1110.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1110/003)
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying) Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following: diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md index 6f05eb09..8c866913 100644 --- a/atomics/T1112/T1112.md +++ b/atomics/T1112/T1112.md @@ -1,5 +1,5 @@ # T1112 - Modify Registry -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1112) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1112)
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API. diff --git a/atomics/T1113/T1113.md b/atomics/T1113/T1113.md index aa3e723c..62aea3c3 100644 --- a/atomics/T1113/T1113.md +++ b/atomics/T1113/T1113.md @@ -1,5 +1,5 @@ # T1113 - Screen Capture -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1113) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1113)
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
diff --git a/atomics/T1114.001/T1114.001.md b/atomics/T1114.001/T1114.001.md index e27512c9..6e5aa9a7 100644 --- a/atomics/T1114.001/T1114.001.md +++ b/atomics/T1114.001/T1114.001.md @@ -1,5 +1,5 @@ # T1114.001 - Local Email Collection -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1114.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1114/001)
Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\Users\\Documents\Outlook Files` or `C:\Users\\AppData\Local\Microsoft\Outlook`.(Citation: Microsoft Outlook Files)
diff --git a/atomics/T1115/T1115.md b/atomics/T1115/T1115.md index 319d2d73..a687b3ab 100644 --- a/atomics/T1115/T1115.md +++ b/atomics/T1115/T1115.md @@ -1,5 +1,5 @@ # T1115 - Clipboard Data -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1115) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1115)
Adversaries may collect data stored in the clipboard from users copying information within or between applications. In Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)
diff --git a/atomics/T1119/T1119.md b/atomics/T1119/T1119.md index 5dc66465..ac5f303f 100644 --- a/atomics/T1119/T1119.md +++ b/atomics/T1119/T1119.md @@ -1,5 +1,5 @@ # T1119 - Automated Collection -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1119) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1119)
Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.
diff --git a/atomics/T1123/T1123.md b/atomics/T1123/T1123.md index a9664ba6..89a3dc0d 100644 --- a/atomics/T1123/T1123.md +++ b/atomics/T1123/T1123.md @@ -1,5 +1,5 @@ # T1123 - Audio Capture -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1123) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1123)
An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md index 0392c1d1..0f55b4f5 100644 --- a/atomics/T1124/T1124.md +++ b/atomics/T1124/T1124.md @@ -1,5 +1,5 @@ # T1124 - System Time Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1124) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1124)
An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service) System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service) The information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting.
diff --git a/atomics/T1127.001/T1127.001.md b/atomics/T1127.001/T1127.001.md index c912c41a..5be28313 100644 --- a/atomics/T1127.001/T1127.001.md +++ b/atomics/T1127.001/T1127.001.md @@ -1,5 +1,5 @@ # T1127.001 - MSBuild -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1127.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1127/001)
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild) Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
diff --git a/atomics/T1132.001/T1132.001.md b/atomics/T1132.001/T1132.001.md index c432d66c..0fcad8c1 100644 --- a/atomics/T1132.001/T1132.001.md +++ b/atomics/T1132.001/T1132.001.md @@ -1,5 +1,5 @@ # T1132.001 - Standard Encoding -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1132.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1132/001)
Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.
## Atomic Tests diff --git a/atomics/T1134.004/T1134.004.md b/atomics/T1134.004/T1134.004.md index c4d3066c..c764764d 100644 --- a/atomics/T1134.004/T1134.004.md +++ b/atomics/T1134.004/T1134.004.md @@ -1,5 +1,5 @@ # T1134.004 - Parent PID Spoofing -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1134.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1134/004)
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018) Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index 4f3a8b0e..eaace638 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -1,5 +1,5 @@ # T1135 - Network Share Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1135) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1135)
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share. diff --git a/atomics/T1136.001/T1136.001.md b/atomics/T1136.001/T1136.001.md index 38303054..ed13f916 100644 --- a/atomics/T1136.001/T1136.001.md +++ b/atomics/T1136.001/T1136.001.md @@ -1,5 +1,5 @@ # T1136.001 - Local Account -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1136.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1136/001)
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
diff --git a/atomics/T1140/T1140.md b/atomics/T1140/T1140.md index 90cffb74..71607740 100644 --- a/atomics/T1140/T1140.md +++ b/atomics/T1140/T1140.md @@ -1,5 +1,5 @@ # T1140 - Deobfuscate/Decode Files or Information -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1140) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1140)
Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. One such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016) diff --git a/atomics/T1176/T1176.md b/atomics/T1176/T1176.md index 82c595d3..787f6a7f 100644 --- a/atomics/T1176/T1176.md +++ b/atomics/T1176/T1176.md @@ -1,5 +1,5 @@ # T1176 - Browser Extensions -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1176) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1176)
Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access. (Citation: Wikipedia Browser Extension) (Citation: Chrome Extensions Definition) Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners. (Citation: Malicious Chrome Extension Numbers) Once the extension is installed, it can browse to websites in the background, (Citation: Chrome Extension Crypto Miner) (Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials) (Citation: Banker Google Chrome Extension Steals Creds) (Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. diff --git a/atomics/T1197/T1197.md b/atomics/T1197/T1197.md index 59323363..6b4c0f1b 100644 --- a/atomics/T1197/T1197.md +++ b/atomics/T1197/T1197.md @@ -1,5 +1,5 @@ # T1197 - BITS Jobs -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1197) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1197)
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM). (Citation: Microsoft COM) (Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) (Citation: Microsoft BITS) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool. (Citation: Microsoft BITSAdmin) diff --git a/atomics/T1201/T1201.md b/atomics/T1201/T1201.md index cd2ad485..42998236 100644 --- a/atomics/T1201/T1201.md +++ b/atomics/T1201/T1201.md @@ -1,5 +1,5 @@ # T1201 - Password Policy Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1201) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1201)
Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts). Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)
diff --git a/atomics/T1202/T1202.md b/atomics/T1202/T1202.md index 2fc74e43..5c56076a 100644 --- a/atomics/T1202/T1202.md +++ b/atomics/T1202/T1202.md @@ -1,5 +1,5 @@ # T1202 - Indirect Command Execution -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1202) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1202)
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md index d9916b73..4f980eca 100644 --- a/atomics/T1204.002/T1204.002.md +++ b/atomics/T1204.002/T1204.002.md @@ -1,5 +1,5 @@ # T1204.002 - Malicious File -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1204.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1204/002)
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it. diff --git a/atomics/T1207/T1207.md b/atomics/T1207/T1207.md index 13c19d76..dd818ba3 100644 --- a/atomics/T1207/T1207.md +++ b/atomics/T1207/T1207.md @@ -1,5 +1,5 @@ # T1207 - Rogue Domain Controller -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1207) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1207)
Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys. Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide) diff --git a/atomics/T1216.001/T1216.001.md b/atomics/T1216.001/T1216.001.md index de1597eb..629309d6 100644 --- a/atomics/T1216.001/T1216.001.md +++ b/atomics/T1216.001/T1216.001.md @@ -1,5 +1,5 @@ # T1216.001 - PubPrn -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1216.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1216/001)
Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application control solutions that do not account for use of these scripts. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png.
diff --git a/atomics/T1216/T1216.md b/atomics/T1216/T1216.md index c5ac55a8..d14d2c8b 100644 --- a/atomics/T1216/T1216.md +++ b/atomics/T1216/T1216.md @@ -1,5 +1,5 @@ # T1216 - Signed Script Proxy Execution -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1216) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1216)
Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)
## Atomic Tests diff --git a/atomics/T1217/T1217.md b/atomics/T1217/T1217.md index 0b0a463d..a3d1635b 100644 --- a/atomics/T1217/T1217.md +++ b/atomics/T1217/T1217.md @@ -1,5 +1,5 @@ # T1217 - Browser Bookmark Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1217) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1217)
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser. diff --git a/atomics/T1218.001/T1218.001.md b/atomics/T1218.001/T1218.001.md index 975f9ef4..dd94ab0a 100644 --- a/atomics/T1218.001/T1218.001.md +++ b/atomics/T1218.001/T1218.001.md @@ -1,5 +1,5 @@ # T1218.001 - Compiled HTML File -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/001)
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program) A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)
diff --git a/atomics/T1218.002/T1218.002.md b/atomics/T1218.002/T1218.002.md index 1598a763..82a817b0 100644 --- a/atomics/T1218.002/T1218.002.md +++ b/atomics/T1218.002/T1218.002.md @@ -1,5 +1,5 @@ # T1218.002 - Control Panel -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/002)
Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL) diff --git a/atomics/T1218.003/T1218.003.md b/atomics/T1218.003/T1218.003.md index 41e8b4de..d82855fd 100644 --- a/atomics/T1218.003/T1218.003.md +++ b/atomics/T1218.003/T1218.003.md @@ -1,5 +1,5 @@ # T1218.003 - CMSTP -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/003)
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application. diff --git a/atomics/T1218.004/T1218.004.md b/atomics/T1218.004/T1218.004.md index fb959189..c7a174a8 100644 --- a/atomics/T1218.004/T1218.004.md +++ b/atomics/T1218.004/T1218.004.md @@ -1,5 +1,5 @@ # T1218.004 - InstallUtil -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/004)
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe. InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)
diff --git a/atomics/T1218.005/T1218.005.md b/atomics/T1218.005/T1218.005.md index bddf999c..7b35e97e 100644 --- a/atomics/T1218.005/T1218.005.md +++ b/atomics/T1218.005/T1218.005.md @@ -1,5 +1,5 @@ # T1218.005 - Mshta -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.005) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/005)
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications) diff --git a/atomics/T1218.007/T1218.007.md b/atomics/T1218.007/T1218.007.md index e0e53a4e..13563437 100644 --- a/atomics/T1218.007/T1218.007.md +++ b/atomics/T1218.007/T1218.007.md @@ -1,5 +1,5 @@ # T1218.007 - Msiexec -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.007) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/007)
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse.
diff --git a/atomics/T1218.008/T1218.008.md b/atomics/T1218.008/T1218.008.md index fcba19fd..be140831 100644 --- a/atomics/T1218.008/T1218.008.md +++ b/atomics/T1218.008/T1218.008.md @@ -1,5 +1,5 @@ # T1218.008 - Odbcconf -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.008) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/008)
Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft. Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) diff --git a/atomics/T1218.009/T1218.009.md b/atomics/T1218.009/T1218.009.md index 1ab15341..0ee1701a 100644 --- a/atomics/T1218.009/T1218.009.md +++ b/atomics/T1218.009/T1218.009.md @@ -1,5 +1,5 @@ # T1218.009 - Regsvcs/Regasm -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.009) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/009)
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm) Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)
diff --git a/atomics/T1218.010/T1218.010.md b/atomics/T1218.010/T1218.010.md index 9597db5f..ab4c7ae5 100644 --- a/atomics/T1218.010/T1218.010.md +++ b/atomics/T1218.010/T1218.010.md @@ -1,5 +1,5 @@ # T1218.010 - Regsvr32 -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.010) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/010)
Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32) Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov) diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md index a87dd10d..3c04be73 100644 --- a/atomics/T1218.011/T1218.011.md +++ b/atomics/T1218.011/T1218.011.md @@ -1,5 +1,5 @@ # T1218.011 - Rundll32 -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.011) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/011)
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads. Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL) diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index 97419915..f04f0d2b 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -1,5 +1,5 @@ # T1218 - Signed Binary Proxy Execution -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218)
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.
## Atomic Tests diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md index 52b4a0b2..e569b4f2 100644 --- a/atomics/T1219/T1219.md +++ b/atomics/T1219/T1219.md @@ -1,5 +1,5 @@ # T1219 - Remote Access Software -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1219) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1219)
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) Remote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. diff --git a/atomics/T1220/T1220.md b/atomics/T1220/T1220.md index 50846cf5..18147a9c 100644 --- a/atomics/T1220/T1220.md +++ b/atomics/T1220/T1220.md @@ -1,5 +1,5 @@ # T1220 - XSL Script Processing -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1220) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1220)
Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017) Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019) diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md index f496fd4b..c4024725 100644 --- a/atomics/T1222.001/T1222.001.md +++ b/atomics/T1222.001/T1222.001.md @@ -1,5 +1,5 @@ # T1222.001 - Windows File and Directory Permissions Modification -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1222.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1222/001)
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018) diff --git a/atomics/T1222.002/T1222.002.md b/atomics/T1222.002/T1222.002.md index 567a66ce..4e59f547 100644 --- a/atomics/T1222.002/T1222.002.md +++ b/atomics/T1222.002/T1222.002.md @@ -1,5 +1,5 @@ # T1222.002 - Linux and Mac File and Directory Permissions Modification -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1222.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1222/002)
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode). diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md index fcffe2c3..a1237139 100644 --- a/atomics/T1482/T1482.md +++ b/atomics/T1482/T1482.md @@ -1,5 +1,5 @@ # T1482 - Domain Trust Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1482) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1482)
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)
## Atomic Tests diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index 1fe1feb1..96c1ec81 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -1,5 +1,5 @@ # T1485 - Data Destruction -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1485) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1485)
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure. Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017) diff --git a/atomics/T1489/T1489.md b/atomics/T1489/T1489.md index f135ba12..7ff35bce 100644 --- a/atomics/T1489/T1489.md +++ b/atomics/T1489/T1489.md @@ -1,5 +1,5 @@ # T1489 - Service Stop -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1489) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1489)
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)
diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md index ff47a09e..1d26e07d 100644 --- a/atomics/T1490/T1490.md +++ b/atomics/T1490/T1490.md @@ -1,5 +1,5 @@ # T1490 - Inhibit System Recovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1490) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1490)
Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) A number of native Windows utilities have been used by adversaries to disable or delete system recovery features: diff --git a/atomics/T1496/T1496.md b/atomics/T1496/T1496.md index e4dff5b1..d4882c10 100644 --- a/atomics/T1496/T1496.md +++ b/atomics/T1496/T1496.md @@ -1,5 +1,5 @@ # T1496 - Resource Hijacking -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1496) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1496)
Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.
diff --git a/atomics/T1505.002/T1505.002.md b/atomics/T1505.002/T1505.002.md index 517ec54d..974d261b 100644 --- a/atomics/T1505.002/T1505.002.md +++ b/atomics/T1505.002/T1505.002.md @@ -1,5 +1,5 @@ # T1505.002 - Transport Agent -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1505.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1505/002)
Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.
diff --git a/atomics/T1505.003/T1505.003.md b/atomics/T1505.003/T1505.003.md index 958f359e..5749d721 100644 --- a/atomics/T1505.003/T1505.003.md +++ b/atomics/T1505.003/T1505.003.md @@ -1,5 +1,5 @@ # T1505.003 - Web Shell -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1505.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1505/003)
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)
diff --git a/atomics/T1518.001/T1518.001.md b/atomics/T1518.001/T1518.001.md index 6be8beac..7a626007 100644 --- a/atomics/T1518.001/T1518.001.md +++ b/atomics/T1518.001/T1518.001.md @@ -1,5 +1,5 @@ # T1518.001 - Security Software Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1518.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1518/001)
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md index d8e83b08..5b210391 100644 --- a/atomics/T1518/T1518.md +++ b/atomics/T1518/T1518.md @@ -1,5 +1,5 @@ # T1518 - Software Discovery -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1518) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1518)
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
diff --git a/atomics/T1529/T1529.md b/atomics/T1529/T1529.md index e0401db9..15aa0390 100644 --- a/atomics/T1529/T1529.md +++ b/atomics/T1529/T1529.md @@ -1,5 +1,5 @@ # T1529 - System Shutdown/Reboot -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1529) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1529)
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users. Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)
diff --git a/atomics/T1531/T1531.md b/atomics/T1531/T1531.md index 35592027..025c33ba 100644 --- a/atomics/T1531/T1531.md +++ b/atomics/T1531/T1531.md @@ -1,5 +1,5 @@ # T1531 - Account Access Removal -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1531) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1531)
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
diff --git a/atomics/T1543.001/T1543.001.md b/atomics/T1543.001/T1543.001.md index d8425579..9eecc4dd 100644 --- a/atomics/T1543.001/T1543.001.md +++ b/atomics/T1543.001/T1543.001.md @@ -1,5 +1,5 @@ # T1543.001 - Launch Agent -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1543.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1543/001)
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware). Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories (Citation: Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in (Citation: OSX Malware Detection) (Citation: OceanLotus for OS X). They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md index 33006674..79c0e9b6 100644 --- a/atomics/T1543.002/T1543.002.md +++ b/atomics/T1543.002/T1543.002.md @@ -1,5 +1,5 @@ # T1543.002 - Systemd Service -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1543.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1543/002)
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems. Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands: diff --git a/atomics/T1543.003/T1543.003.md b/atomics/T1543.003/T1543.003.md index 87464aee..7dfa0832 100644 --- a/atomics/T1543.003/T1543.003.md +++ b/atomics/T1543.003/T1543.003.md @@ -1,5 +1,5 @@ # T1543.003 - Windows Service -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1543.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1543/003)
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system. diff --git a/atomics/T1543.004/T1543.004.md b/atomics/T1543.004/T1543.004.md index 14ce3c0c..cae1c5d4 100644 --- a/atomics/T1543.004/T1543.004.md +++ b/atomics/T1543.004/T1543.004.md @@ -1,5 +1,5 @@ # T1543.004 - Launch Daemon -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1543.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1543/004)
Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence). Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root. diff --git a/atomics/T1546.001/T1546.001.md b/atomics/T1546.001/T1546.001.md index c109d920..72cbb2da 100644 --- a/atomics/T1546.001/T1546.001.md +++ b/atomics/T1546.001/T1546.001.md @@ -1,5 +1,5 @@ # T1546.001 - Change Default File Association -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/001)
Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. System file associations are listed under HKEY_CLASSES_ROOT\.[extension], for example HKEY_CLASSES_ROOT\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\[handler]\shell\[action]\command. For example: diff --git a/atomics/T1546.002/T1546.002.md b/atomics/T1546.002/T1546.002.md index 18977b0a..0677ca63 100644 --- a/atomics/T1546.002/T1546.002.md +++ b/atomics/T1546.002/T1546.002.md @@ -1,5 +1,5 @@ # T1546.002 - Screensaver -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/002)
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations. The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence: diff --git a/atomics/T1546.003/T1546.003.md b/atomics/T1546.003/T1546.003.md index 89c7dfea..8ea3551c 100644 --- a/atomics/T1546.003/T1546.003.md +++ b/atomics/T1546.003/T1546.003.md @@ -1,5 +1,5 @@ # T1546.003 - Windows Management Instrumentation Event Subscription -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/003)
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015) Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018) diff --git a/atomics/T1546.004/T1546.004.md b/atomics/T1546.004/T1546.004.md index c783e15d..e7f9711c 100644 --- a/atomics/T1546.004/T1546.004.md +++ b/atomics/T1546.004/T1546.004.md @@ -1,5 +1,5 @@ # T1546.004 - .bash_profile and .bashrc -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/004)
Adversaries may establish persistence by executing malicious content triggered by a user’s shell. ~/.bash_profile and ~/.bashrc are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. ~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), the ~/.bash_profile script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the ~/.bashrc script is executed. This allows users more fine-grained control over when they want certain commands executed. These shell scripts are meant to be written to by the local user to configure their own environment. diff --git a/atomics/T1546.005/T1546.005.md b/atomics/T1546.005/T1546.005.md index f9787575..fc801714 100644 --- a/atomics/T1546.005/T1546.005.md +++ b/atomics/T1546.005/T1546.005.md @@ -1,5 +1,5 @@ # T1546.005 - Trap -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.005) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/005)
Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)
diff --git a/atomics/T1546.007/T1546.007.md b/atomics/T1546.007/T1546.007.md index 34fb01b2..fb98bab9 100644 --- a/atomics/T1546.007/T1546.007.md +++ b/atomics/T1546.007/T1546.007.md @@ -1,5 +1,5 @@ # T1546.007 - Netsh Helper DLL -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.007) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/007)
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
diff --git a/atomics/T1546.008/T1546.008.md b/atomics/T1546.008/T1546.008.md index 46b2bf64..0a0597d9 100644 --- a/atomics/T1546.008/T1546.008.md +++ b/atomics/T1546.008/T1546.008.md @@ -1,5 +1,5 @@ # T1546.008 - Accessibility Features -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.008) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/008)
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) diff --git a/atomics/T1546.010/T1546.010.md b/atomics/T1546.010/T1546.010.md index 5a78bf85..37cc8967 100644 --- a/atomics/T1546.010/T1546.010.md +++ b/atomics/T1546.010/T1546.010.md @@ -1,5 +1,5 @@ # T1546.010 - AppInit DLLs -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.010) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/010)
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Endgame Process Injection July 2017) Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity. diff --git a/atomics/T1546.011/T1546.011.md b/atomics/T1546.011/T1546.011.md index 789da6ec..067c7d43 100644 --- a/atomics/T1546.011/T1546.011.md +++ b/atomics/T1546.011/T1546.011.md @@ -1,5 +1,5 @@ # T1546.011 - Application Shimming -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.011) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/011)
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. diff --git a/atomics/T1546.012/T1546.012.md b/atomics/T1546.012/T1546.012.md index 1d02d471..03389b7d 100644 --- a/atomics/T1546.012/T1546.012.md +++ b/atomics/T1546.012/T1546.012.md @@ -1,5 +1,5 @@ # T1546.012 - Image File Execution Options Injection -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.012) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/012)
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010) diff --git a/atomics/T1546.013/T1546.013.md b/atomics/T1546.013/T1546.013.md index 083ae418..ddd23f09 100644 --- a/atomics/T1546.013/T1546.013.md +++ b/atomics/T1546.013/T1546.013.md @@ -1,5 +1,5 @@ # T1546.013 - PowerShell Profile -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.013) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/013)
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments. [PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles) diff --git a/atomics/T1546.014/T1546.014.md b/atomics/T1546.014/T1546.014.md index 63f2a871..1e5dbb49 100644 --- a/atomics/T1546.014/T1546.014.md +++ b/atomics/T1546.014/T1546.014.md @@ -1,5 +1,5 @@ # T1546.014 - Emond -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.014) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/014)
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place. The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md index c0aeef82..a600883b 100644 --- a/atomics/T1547.001/T1547.001.md +++ b/atomics/T1547.001/T1547.001.md @@ -1,5 +1,5 @@ # T1547.001 - Registry Run Keys / Startup Folder -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1547.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/001)
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. diff --git a/atomics/T1547.004/T1547.004.md b/atomics/T1547.004/T1547.004.md index 57071d6c..5fe2f423 100644 --- a/atomics/T1547.004/T1547.004.md +++ b/atomics/T1547.004/T1547.004.md @@ -1,5 +1,5 @@ # T1547.004 - Winlogon Helper DLL -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1547.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/004)
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013) diff --git a/atomics/T1547.005/T1547.005.md b/atomics/T1547.005/T1547.005.md index 3f7a8045..3b89b849 100644 --- a/atomics/T1547.005/T1547.005.md +++ b/atomics/T1547.005/T1547.005.md @@ -1,5 +1,5 @@ # T1547.005 - Security Support Provider -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1547.005) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/005)
Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
diff --git a/atomics/T1547.006/T1547.006.md b/atomics/T1547.006/T1547.006.md index c4c93bb2..a7e4fa19 100644 --- a/atomics/T1547.006/T1547.006.md +++ b/atomics/T1547.006/T1547.006.md @@ -1,5 +1,5 @@ # T1547.006 - Kernel Modules and Extensions -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1547.006) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/006)
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming)  When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview) diff --git a/atomics/T1547.007/T1547.007.md b/atomics/T1547.007/T1547.007.md index f35918da..42a377fa 100644 --- a/atomics/T1547.007/T1547.007.md +++ b/atomics/T1547.007/T1547.007.md @@ -1,5 +1,5 @@ # T1547.007 - Re-opened Applications -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1547.007) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/007)
Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).
diff --git a/atomics/T1547.009/T1547.009.md b/atomics/T1547.009/T1547.009.md index 371bc4f9..c2f26034 100644 --- a/atomics/T1547.009/T1547.009.md +++ b/atomics/T1547.009/T1547.009.md @@ -1,5 +1,5 @@ # T1547.009 - Shortcut Modification -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1547.009) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/009)
Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.
diff --git a/atomics/T1547.011/T1547.011.md b/atomics/T1547.011/T1547.011.md index 1131a045..e18c5b40 100644 --- a/atomics/T1547.011/T1547.011.md +++ b/atomics/T1547.011/T1547.011.md @@ -1,5 +1,5 @@ # T1547.011 - Plist Modification -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1547.011) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/011)
Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges). Adversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.(Citation: Sofacy Komplex Trojan) diff --git a/atomics/T1548.001/T1548.001.md b/atomics/T1548.001/T1548.001.md index 1a61be99..5cee87b3 100644 --- a/atomics/T1548.001/T1548.001.md +++ b/atomics/T1548.001/T1548.001.md @@ -1,5 +1,5 @@ # T1548.001 - Setuid and Setgid -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1548.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1548/001)
An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md index 67f05527..474cfe54 100644 --- a/atomics/T1548.002/T1548.002.md +++ b/atomics/T1548.002/T1548.002.md @@ -1,5 +1,5 @@ # T1548.002 - Bypass User Access Control -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1548.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1548/002)
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works) If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows) diff --git a/atomics/T1548.003/T1548.003.md b/atomics/T1548.003/T1548.003.md index 8e6399d7..dc2d0842 100644 --- a/atomics/T1548.003/T1548.003.md +++ b/atomics/T1548.003/T1548.003.md @@ -1,5 +1,5 @@ # T1548.003 - Sudo and Sudo Caching -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1548.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1548/003)
Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges. Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again). diff --git a/atomics/T1550.002/T1550.002.md b/atomics/T1550.002/T1550.002.md index 63eca514..188355b0 100644 --- a/atomics/T1550.002/T1550.002.md +++ b/atomics/T1550.002/T1550.002.md @@ -1,5 +1,5 @@ # T1550.002 - Pass the Hash -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1550.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1550/002)
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.(Citation: NSA Spotting)
diff --git a/atomics/T1550.003/T1550.003.md b/atomics/T1550.003/T1550.003.md index 63061ec3..96a3cf61 100644 --- a/atomics/T1550.003/T1550.003.md +++ b/atomics/T1550.003/T1550.003.md @@ -1,5 +1,5 @@ # T1550.003 - Pass the Ticket -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1550.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1550/003)
Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system. In this technique, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket) diff --git a/atomics/T1552.001/T1552.001.md b/atomics/T1552.001/T1552.001.md index f2495f86..1bd6f261 100644 --- a/atomics/T1552.001/T1552.001.md +++ b/atomics/T1552.001/T1552.001.md @@ -1,5 +1,5 @@ # T1552.001 - Credentials In Files -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1552.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1552/001)
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP) diff --git a/atomics/T1552.002/T1552.002.md b/atomics/T1552.002/T1552.002.md index a085391d..ceefc502 100644 --- a/atomics/T1552.002/T1552.002.md +++ b/atomics/T1552.002/T1552.002.md @@ -1,5 +1,5 @@ # T1552.002 - Credentials in Registry -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1552.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1552/002)
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons. Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials) diff --git a/atomics/T1552.003/T1552.003.md b/atomics/T1552.003/T1552.003.md index 3cd04958..61a5049e 100644 --- a/atomics/T1552.003/T1552.003.md +++ b/atomics/T1552.003/T1552.003.md @@ -1,5 +1,5 @@ # T1552.003 - Bash History -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1552.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1552/003)
Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)
## Atomic Tests diff --git a/atomics/T1552.004/T1552.004.md b/atomics/T1552.004/T1552.004.md index 035b0c74..d9eb8d26 100644 --- a/atomics/T1552.004/T1552.004.md +++ b/atomics/T1552.004/T1552.004.md @@ -1,5 +1,5 @@ # T1552.004 - Private Keys -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1552.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1552/004)
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email. diff --git a/atomics/T1552.006/T1552.006.md b/atomics/T1552.006/T1552.006.md index 2ec1ee1b..1fea602a 100644 --- a/atomics/T1552.006/T1552.006.md +++ b/atomics/T1552.006/T1552.006.md @@ -1,5 +1,5 @@ # T1552.006 - Group Policy Preferences -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1552.006) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1552/006)
Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016) These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key) diff --git a/atomics/T1553.001/T1553.001.md b/atomics/T1553.001/T1553.001.md index 93b9084f..132e129c 100644 --- a/atomics/T1553.001/T1553.001.md +++ b/atomics/T1553.001/T1553.001.md @@ -1,5 +1,5 @@ # T1553.001 - Gatekeeper Bypass -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1553.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1553/001)
Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution. Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). This completely bypasses the built-in Gatekeeper check. (Citation: Methods of Mac Malware Persistence) The presence of the quarantine flag can be checked by the xattr command xattr /path/to/MyApp.app for com.apple.quarantine. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app. (Citation: Clearing quarantine attribute) (Citation: OceanLotus for OS X) diff --git a/atomics/T1553.004/T1553.004.md b/atomics/T1553.004/T1553.004.md index 6a6877bb..95ff2aad 100644 --- a/atomics/T1553.004/T1553.004.md +++ b/atomics/T1553.004/T1553.004.md @@ -1,5 +1,5 @@ # T1553.004 - Install Root Certificate -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1553.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1553/004)
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials. (Citation: Operation Emmental) diff --git a/atomics/T1555.001/T1555.001.md b/atomics/T1555.001/T1555.001.md index a2d0b2ce..4639ef46 100644 --- a/atomics/T1555.001/T1555.001.md +++ b/atomics/T1555.001/T1555.001.md @@ -1,5 +1,5 @@ # T1555.001 - Keychain -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1555.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1555/001)
Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation: Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials. To manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.
diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md index 1906c05a..7ff76184 100644 --- a/atomics/T1555.003/T1555.003.md +++ b/atomics/T1555.003/T1555.003.md @@ -1,5 +1,5 @@ # T1555.003 - Credentials from Web Browsers -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1555.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1555/003)
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData ‎April 2018) diff --git a/atomics/T1556.002/T1556.002.md b/atomics/T1556.002/T1556.002.md index 0e591152..a8dcd535 100644 --- a/atomics/T1556.002/T1556.002.md +++ b/atomics/T1556.002/T1556.002.md @@ -1,5 +1,5 @@ # T1556.002 - Password Filter DLL -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1556.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1556/002)
Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. diff --git a/atomics/T1558.003/T1558.003.md b/atomics/T1558.003/T1558.003.md index 71c8f8eb..cd454141 100644 --- a/atomics/T1558.003/T1558.003.md +++ b/atomics/T1558.003/T1558.003.md @@ -1,5 +1,5 @@ # T1558.003 - Kerberoasting -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1558.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1558/003)
Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) diff --git a/atomics/T1559.002/T1559.002.md b/atomics/T1559.002/T1559.002.md index bc718f14..191c83d5 100644 --- a/atomics/T1559.002/T1559.002.md +++ b/atomics/T1559.002/T1559.002.md @@ -1,5 +1,5 @@ # T1559.002 - Dynamic Data Exchange -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1559.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1559/002)
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017) diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md index ae33bedd..ebd61861 100644 --- a/atomics/T1560.001/T1560.001.md +++ b/atomics/T1560.001/T1560.001.md @@ -1,5 +1,5 @@ # T1560.001 - Archive via Utility -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1560.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1560/001)
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data. Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems.
diff --git a/atomics/T1560/T1560.md b/atomics/T1560/T1560.md index fafa2328..4ef9d90f 100644 --- a/atomics/T1560/T1560.md +++ b/atomics/T1560/T1560.md @@ -1,5 +1,5 @@ # T1560 - Archive Collected Data -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1560) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1560)
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md index 57adacc4..6d956735 100644 --- a/atomics/T1562.001/T1562.001.md +++ b/atomics/T1562.001/T1562.001.md @@ -1,5 +1,5 @@ # T1562.001 - Disable or Modify Tools -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1562.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/001)
Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
## Atomic Tests diff --git a/atomics/T1562.002/T1562.002.md b/atomics/T1562.002/T1562.002.md index 54c35e20..5701512c 100644 --- a/atomics/T1562.002/T1562.002.md +++ b/atomics/T1562.002/T1562.002.md @@ -1,5 +1,5 @@ # T1562.002 - Disable Windows Event Logging -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1562.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/002)
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections. Adversaries may targeting system-wide logging or just that of a particular application. By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.
diff --git a/atomics/T1562.003/T1562.003.md b/atomics/T1562.003/T1562.003.md index 28e7e09f..84bd6076 100644 --- a/atomics/T1562.003/T1562.003.md +++ b/atomics/T1562.003/T1562.003.md @@ -1,5 +1,5 @@ # T1562.003 - HISTCONTROL -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1562.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/003)
Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. This setting can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md index 2573af21..12e30278 100644 --- a/atomics/T1562.004/T1562.004.md +++ b/atomics/T1562.004/T1562.004.md @@ -1,5 +1,5 @@ # T1562.004 - Disable or Modify System Firewall -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1562.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/004)
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.
diff --git a/atomics/T1563.002/T1563.002.md b/atomics/T1563.002/T1563.002.md index 9fd74b50..67e1d2b3 100644 --- a/atomics/T1563.002/T1563.002.md +++ b/atomics/T1563.002/T1563.002.md @@ -1,5 +1,5 @@ # T1563.002 - RDP Hijacking -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1563.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1563/002)
Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, `c:\windows\system32\tscon.exe [session number to be stolen]`, an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)
diff --git a/atomics/T1564.001/T1564.001.md b/atomics/T1564.001/T1564.001.md index e20c6446..34beb7d0 100644 --- a/atomics/T1564.001/T1564.001.md +++ b/atomics/T1564.001/T1564.001.md @@ -1,5 +1,5 @@ # T1564.001 - Hidden Files and Directories -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1564.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1564/001)
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS). On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. diff --git a/atomics/T1564.002/T1564.002.md b/atomics/T1564.002/T1564.002.md index 813905a4..f2059103 100644 --- a/atomics/T1564.002/T1564.002.md +++ b/atomics/T1564.002/T1564.002.md @@ -1,5 +1,5 @@ # T1564.002 - Hidden Users -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1564.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1564/002)
Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit).
diff --git a/atomics/T1564.003/T1564.003.md b/atomics/T1564.003/T1564.003.md index 86e80123..90ebee33 100644 --- a/atomics/T1564.003/T1564.003.md +++ b/atomics/T1564.003/T1564.003.md @@ -1,5 +1,5 @@ # T1564.003 - Hidden Window -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1564.003) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1564/003)
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. On Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019) diff --git a/atomics/T1564.004/T1564.004.md b/atomics/T1564.004/T1564.004.md index c350a0b6..1ae1c4e7 100644 --- a/atomics/T1564.004/T1564.004.md +++ b/atomics/T1564.004/T1564.004.md @@ -1,5 +1,5 @@ # T1564.004 - NTFS File Attributes -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1564.004) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1564/004)
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014) Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)
diff --git a/atomics/T1566.001/T1566.001.md b/atomics/T1566.001/T1566.001.md index f6af47f1..bffe1cd7 100644 --- a/atomics/T1566.001/T1566.001.md +++ b/atomics/T1566.001/T1566.001.md @@ -1,5 +1,5 @@ # T1566.001 - Spearphishing Attachment -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1566.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1566/001)
Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
diff --git a/atomics/T1569.001/T1569.001.md b/atomics/T1569.001/T1569.001.md index a71d8d12..62e0d648 100644 --- a/atomics/T1569.001/T1569.001.md +++ b/atomics/T1569.001/T1569.001.md @@ -1,5 +1,5 @@ # T1569.001 - Launchctl -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1569.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1569/001)
Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man) By loading or reloading [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, adversaries can install persistence or execute changes they made.(Citation: Sofacy Komplex Trojan) diff --git a/atomics/T1569.002/T1569.002.md b/atomics/T1569.002/T1569.002.md index eb0d8e27..1436b2bd 100644 --- a/atomics/T1569.002/T1569.002.md +++ b/atomics/T1569.002/T1569.002.md @@ -1,5 +1,5 @@ # T1569.002 - Service Execution -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1569.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1569/002)
Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039). [PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) diff --git a/atomics/T1571/T1571.md b/atomics/T1571/T1571.md index 094e8ecb..2cb01cc2 100644 --- a/atomics/T1571/T1571.md +++ b/atomics/T1571/T1571.md @@ -1,5 +1,5 @@ # T1571 - Non-Standard Port -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1571) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1571)
Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
## Atomic Tests diff --git a/atomics/T1573/T1573.md b/atomics/T1573/T1573.md index 4fb3327a..ae595366 100644 --- a/atomics/T1573/T1573.md +++ b/atomics/T1573/T1573.md @@ -1,5 +1,5 @@ # T1573 - Encrypted Channel -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1573) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1573)
Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
## Atomic Tests diff --git a/atomics/T1574.001/T1574.001.md b/atomics/T1574.001/T1574.001.md index f916c509..76e19e49 100644 --- a/atomics/T1574.001/T1574.001.md +++ b/atomics/T1574.001/T1574.001.md @@ -1,5 +1,5 @@ # T1574.001 - DLL Search Order Hijacking -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1574.001) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1574/001)
Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) diff --git a/atomics/T1574.002/T1574.002.md b/atomics/T1574.002/T1574.002.md index 205f79be..cef0ca58 100644 --- a/atomics/T1574.002/T1574.002.md +++ b/atomics/T1574.002/T1574.002.md @@ -1,5 +1,5 @@ # T1574.002 - DLL Side-Loading -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1574.002) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1574/002)
Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program. Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: About Side by Side Assemblies) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable by replacing the legitimate DLL with a malicious one. (Citation: FireEye DLL Side-Loading) diff --git a/atomics/T1574.006/T1574.006.md b/atomics/T1574.006/T1574.006.md index cb03959c..a3370e4d 100644 --- a/atomics/T1574.006/T1574.006.md +++ b/atomics/T1574.006/T1574.006.md @@ -1,5 +1,5 @@ # T1574.006 - LD_PRELOAD -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1574.006) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1574/006)
Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997) diff --git a/atomics/T1574.009/T1574.009.md b/atomics/T1574.009/T1574.009.md index 07daf74d..3fe053da 100644 --- a/atomics/T1574.009/T1574.009.md +++ b/atomics/T1574.009/T1574.009.md @@ -1,5 +1,5 @@ # T1574.009 - Path Interception by Unquoted Path -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1574.009) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1574/009)
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide) diff --git a/atomics/T1574.011/T1574.011.md b/atomics/T1574.011/T1574.011.md index 4edfc84c..3a5aac6e 100644 --- a/atomics/T1574.011/T1574.011.md +++ b/atomics/T1574.011/T1574.011.md @@ -1,5 +1,5 @@ # T1574.011 - Services Registry Permissions Weakness -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1574.011) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1574/011)
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: Registry Key Security) If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). diff --git a/atomics/T1574.012/T1574.012.md b/atomics/T1574.012/T1574.012.md index d04da030..db753b19 100644 --- a/atomics/T1574.012/T1574.012.md +++ b/atomics/T1574.012/T1574.012.md @@ -1,5 +1,5 @@ # T1574.012 - COR_PROFILER -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1574.012) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1574/012)
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)