{ "enterprise-attack": { "techniques": { "additions": [ { "type": "attack-pattern", "id": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-30 16:37:40.271000+00:00", "modified": "2020-10-22 17:59:17.606000+00:00", "name": "Acquire Infrastructure", "description": "Before compromising a victim, adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1583", "external_id": "T1583" }, { "source_name": "TrendmicroHideoutsLease", "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.", "url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. Much of this activity may take place outside the visibility of the target organization, making detection of this behavior difficult.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:49:05.467000+00:00", "modified": "2020-10-05 02:15:01.325000+00:00", "name": "Botnet", "description": "Before compromising a victim, adversaries may buy, lease, or rent a network of compromised systems\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stressor service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1583/005", "external_id": "T1583.005" }, { "source_name": "Norton Botnet", "description": "Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020.", "url": "https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html" }, { "source_name": "Imperva DDoS for Hire", "description": "Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020.", "url": "https://www.imperva.com/learn/ddos/booters-stressers-ddosers/" }, { "source_name": "Krebs-Anna", "description": "Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017.", "url": "https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/" }, { "source_name": "Krebs-Bazaar", "description": "Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017.", "url": "https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/" }, { "source_name": "Krebs-Booter", "description": "Brian Krebs. (2016, October 27). Are the Days of \u201cBooter\u201d Services Numbered?. Retrieved May 15, 2017.", "url": "https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:40:45.279000+00:00", "modified": "2020-10-19 00:11:26.376000+00:00", "name": "DNS Server", "description": "Before compromising a victim, adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.\n\nBy running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1583/002", "external_id": "T1583.002" }, { "source_name": "Unit42 DNS Mar 2019", "description": "Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can be (ab)used by malicious actors. Retrieved October 3, 2020.", "url": "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-30 17:09:31.878000+00:00", "modified": "2020-10-20 20:25:29.310000+00:00", "name": "Domains", "description": "Before compromising a victim, adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1583/001", "external_id": "T1583.001" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/630.html", "external_id": "CAPEC-630" }, { "source_name": "CISA MSS Sep 2020", "description": "CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020.", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-258a" }, { "source_name": "FireEye APT28", "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" }, { "source_name": "PaypalScam", "description": "Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017.", "url": "https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/" }, { "source_name": "CISA IDN ST05-016", "description": "CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020.", "url": "https://us-cert.cisa.gov/ncas/tips/ST05-016" }, { "source_name": "Mandiant APT1", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Wes Hurd", "Vinayak Wadhwa, Lucideus", "Deloitte Threat Library Team" ], "x_mitre_data_sources": [ "Domain registration" ], "x_mitre_detection": "Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:48:09.578000+00:00", "modified": "2020-10-12 16:49:11.340000+00:00", "name": "Server", "description": "Before compromising a victim, adversaries may buy, lease, or rent physical servers\u00a0that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.\n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1583/004", "external_id": "T1583.004" }, { "source_name": "NYTStuxnet", "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.", "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:44:23.935000+00:00", "modified": "2020-10-22 17:58:32.476000+00:00", "name": "Virtual Private Server", "description": "Before compromising a victim, adversaries may rent Virtual Private Servers (VPSs)\u00a0that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\n\nAcquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1583/003", "external_id": "T1583.003" }, { "source_name": "TrendmicroHideoutsLease", "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.", "url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:50:29.936000+00:00", "modified": "2020-10-22 17:59:17.456000+00:00", "name": "Web Services", "description": "Before compromising a victim, adversaries may register for web services\u00a0that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1583/006", "external_id": "T1583.006" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:53:16.526000+00:00", "modified": "2020-10-24 04:06:50.402000+00:00", "name": "Active Scanning", "description": "Before compromising a victim, adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1595", "external_id": "T1595" }, { "source_name": "Botnet Scan", "description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020.", "url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf" }, { "source_name": "OWASP Fingerprinting", "description": "OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved October 20, 2020.", "url": "https://wiki.owasp.org/index.php/OAT-004_Fingerprinting" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Packet capture", "Network device logs" ], "x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:54:23.193000+00:00", "modified": "2020-10-24 04:06:09.139000+00:00", "name": "Scanning IP Blocks", "description": "Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1595/001", "external_id": "T1595.001" }, { "source_name": "Botnet Scan", "description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020.", "url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Packet capture", "Network device logs" ], "x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:55:16.047000+00:00", "modified": "2020-10-24 03:58:06.761000+00:00", "name": "Vulnerability Scanning", "description": "Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.\n\nThese scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1595/002", "external_id": "T1595.002" }, { "source_name": "OWASP Vuln Scanning", "description": "OWASP Wiki. (2018, February 16). OAT-014 Vulnerability Scanning. Retrieved October 20, 2020.", "url": "https://wiki.owasp.org/index.php/OAT-014_Vulnerability_Scanning" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Packet capture", "Network device logs" ], "x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 13:40:11.118000+00:00", "modified": "2020-10-22 02:24:54.640000+00:00", "name": "Traffic Duplication", "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)\n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "exfiltration" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1020/001", "external_id": "T1020.001" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/117.html", "external_id": "CAPEC-117" }, { "source_name": "Cisco Traffic Mirroring", "description": "Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October 19, 2020.", "url": "https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html" }, { "source_name": "Juniper Traffic Mirroring", "description": "Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved October 19, 2020.", "url": "https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html" }, { "source_name": "US-CERT-TA18-106A", "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "Packet capture", "Network protocol analysis" ], "x_mitre_detection": "Monitor network traffic for uncommon data flows (e.g. unusual network communications, suspicious communications that have never been seen before, communications sending fixed size data packets at regular intervals). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. ", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-05 13:24:49.780000+00:00", "modified": "2020-10-09 16:05:36.344000+00:00", "name": "Print Processors", "description": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \n\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1547/012", "external_id": "T1547.012" }, { "source_name": "Microsoft AddPrintProcessor May 2018", "description": "Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved October 5, 2020.", "url": "https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor" }, { "source_name": "ESET PipeMon May 2020", "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020.", "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Mathieu Tartare, ESET" ], "x_mitre_data_sources": [ "Process monitoring", "Windows Registry", "File monitoring", "DLL monitoring", "API monitoring" ], "x_mitre_detection": "Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\\\Driver or HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\Driver as they pertain to print processor installations.\n\nMonitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "SYSTEM" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-08-20 17:51:25.671000+00:00", "modified": "2020-09-17 16:41:23.267000+00:00", "name": "Cloud Infrastructure Discovery", "description": "An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\n\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1580", "external_id": "T1580" }, { "source_name": "Amazon Describe Instance", "description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.", "url": "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html" }, { "source_name": "Amazon Describe Instances API", "description": "Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.", "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html" }, { "source_name": "Google Compute Instances", "description": "Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020.", "url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/list" }, { "source_name": "Microsoft AZ CLI", "description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.", "url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest" }, { "source_name": "Expel IO Evil in AWS", "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.", "url": "https://expel.io/blog/finding-evil-in-aws/" }, { "source_name": "Mandiant M-Trends 2020", "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Praetorian" ], "x_mitre_data_sources": [ "GCP audit logs", "Stackdriver logs", "AWS CloudTrail logs", "Azure activity logs" ], "x_mitre_detection": "Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "AWS", "Azure", "GCP" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--818302b2-d640-477b-bf88-873120ce85c4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-20 00:09:33.072000+00:00", "modified": "2020-10-22 16:43:38.388000+00:00", "name": "Network Device CLI", "description": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \n\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH).\n\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1059/008", "external_id": "T1059.008" }, { "source_name": "Cisco Synful Knock Evolution", "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" }, { "source_name": "Cisco IOS Software Integrity Assurance - Command History", "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.", "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#23" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Network device logs", "Network device run-time memory", "Network device command history", "Network device configuration" ], "x_mitre_detection": "Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)\n\nConsider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:17:15.965000+00:00", "modified": "2020-10-22 18:05:46.296000+00:00", "name": "Compromise Accounts", "description": "Before compromising a victim, adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1586", "external_id": "T1586" }, { "source_name": "AnonHBGary", "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Social media monitoring" ], "x_mitre_detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:20:53.104000+00:00", "modified": "2020-10-20 16:40:58.761000+00:00", "name": "Email Accounts", "description": "Before compromising a victim, adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1586/002", "external_id": "T1586.002" }, { "source_name": "AnonHBGary", "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:18:35.535000+00:00", "modified": "2020-10-20 17:57:43.708000+00:00", "name": "Social Media Accounts", "description": "Before compromising a victim, adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising social media accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1586/001", "external_id": "T1586.001" }, { "source_name": "AnonHBGary", "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" }, { "source_name": "NEWSCASTER2014", "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" }, { "source_name": "BlackHatRobinSage", "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Social media monitoring" ], "x_mitre_detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:36:30.759000+00:00", "modified": "2020-10-22 18:03:23.937000+00:00", "name": "Compromise Infrastructure", "description": "Before compromising a victim, adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1584", "external_id": "T1584" }, { "source_name": "Mandiant APT1", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" }, { "source_name": "ICANNDomainNameHijacking", "description": "ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.", "url": "https://www.icann.org/groups/ssac/documents/sac-007-en" }, { "source_name": "Talos DNSpionage Nov 2018", "description": "Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020.", "url": "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html" }, { "source_name": "FireEye EPS Awakens Part 2", "description": "Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" }, { "source_name": "NSA NCSC Turla OilRig", "description": "NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.", "url": "https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:58:35.269000+00:00", "modified": "2020-10-22 18:03:23.751000+00:00", "name": "Botnet", "description": "Before compromising a victim, adversaries may compromise numerous third-party systems to form a botnet\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stressor service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1584/005", "external_id": "T1584.005" }, { "source_name": "Norton Botnet", "description": "Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020.", "url": "https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html" }, { "source_name": "Imperva DDoS for Hire", "description": "Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020.", "url": "https://www.imperva.com/learn/ddos/booters-stressers-ddosers/" }, { "source_name": "Dell Dridex Oct 2015", "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.", "url": "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:54:30.869000+00:00", "modified": "2020-10-19 01:22:53.922000+00:00", "name": "DNS Server", "description": "Before compromising a victim, adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.\n\nBy compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1584/002", "external_id": "T1584.002" }, { "source_name": "Talos DNSpionage Nov 2018", "description": "Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020.", "url": "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html" }, { "source_name": "FireEye DNS Hijack 2019", "description": "Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html" }, { "source_name": "CiscoAngler", "description": "Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017.", "url": "https://blogs.cisco.com/security/talos/angler-domain-shadowing" }, { "source_name": "Proofpoint Domain Shadowing", "description": "Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved October 16, 2020.", "url": "https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:51:28.513000+00:00", "modified": "2020-10-19 01:28:56.664000+00:00", "name": "Domains", "description": "Before compromising a victim, adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1584/001", "external_id": "T1584.001" }, { "source_name": "ICANNDomainNameHijacking", "description": "ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.", "url": "https://www.icann.org/groups/ssac/documents/sac-007-en" }, { "source_name": "Microsoft Sub Takeover 2020", "description": "Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020.", "url": "https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:56:25.135000+00:00", "modified": "2020-10-12 19:48:07.710000+00:00", "name": "Server", "description": "Before compromising a victim, adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1584/004", "external_id": "T1584.004" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:55:17.771000+00:00", "modified": "2020-10-22 18:01:45.792000+00:00", "name": "Virtual Private Server", "description": "Before compromising a victim, adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1584/003", "external_id": "T1584.003" }, { "source_name": "NSA NCSC Turla OilRig", "description": "NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.", "url": "https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:01:00.176000+00:00", "modified": "2020-10-22 18:02:30.304000+00:00", "name": "Web Services", "description": "Before compromising a victim, adversaries may compromise access to third-party web services\u00a0that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1584/006", "external_id": "T1584.006" }, { "source_name": "Recorded Future Turla Infra 2020", "description": "Insikt Group. (2020, March 12). Swallowing the Snake\u2019s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020.", "url": "https://www.recordedfuture.com/turla-apt-infrastructure/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 23:46:13.931000+00:00", "modified": "2020-10-22 02:26:44.566000+00:00", "name": "Data from Configuration Repository", "description": "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1602", "external_id": "T1602" }, { "source_name": "US-CERT-TA18-106A", "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A" }, { "source_name": "US-CERT TA17-156A SNMP Abuse 2017", "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020.", "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A" }, { "source_name": "Cisco Advisory SNMP v3 Authentication Vulnerabilities", "description": "Cisco. (2008, June 10). Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October 19, 2020.", "url": "https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture" ], "x_mitre_detection": "Identify network traffic sent or received by untrusted hosts or networks that solicits and obtains the configuration information of the queried device.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-20 00:08:21.745000+00:00", "modified": "2020-10-22 01:45:55.144000+00:00", "name": "Network Device Configuration Dump", "description": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\n\nAdversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1602/002", "external_id": "T1602.002" }, { "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018", "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" }, { "source_name": "US-CERT TA18-068A 2018", "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture" ], "x_mitre_detection": "Identify network traffic sent or received by untrusted hosts or networks. Configure signatures to identify strings that may be found in a network device configuration. (Citation: US-CERT TA18-068A 2018)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 23:51:05.953000+00:00", "modified": "2020-10-22 01:54:22.812000+00:00", "name": "SNMP (MIB Dump)", "description": "Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).\n\nThe MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.\n\nAdversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1602/001", "external_id": "T1602.001" }, { "source_name": "SANS Information Security Reading Room Securing SNMP Securing SNMP", "description": "Michael Stump. (2003). Information Security Reading Room Securing SNMP: A Look atNet-SNMP (SNMPv3). Retrieved October 19, 2020.", "url": "https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051" }, { "source_name": "US-CERT-TA18-106A", "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" }, { "source_name": "Cisco Advisory SNMP v3 Authentication Vulnerabilities", "description": "Cisco. (2008, June 10). Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October 19, 2020.", "url": "https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture" ], "x_mitre_detection": "Identify network traffic sent or received by untrusted hosts or networks that expose MIB content or use unauthorized protocols.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:30:00.877000+00:00", "modified": "2020-10-22 18:18:08.552000+00:00", "name": "Develop Capabilities", "description": "Before compromising a victim, adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)\n\nAs with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1587", "external_id": "T1587" }, { "source_name": "Mandiant APT1", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" }, { "source_name": "Kaspersky Sofacy", "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" }, { "source_name": "Bitdefender StrongPity June 2020", "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" }, { "source_name": "Talos Promethium June 2020", "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:41:08.652000+00:00", "modified": "2020-10-15 01:15:54.945000+00:00", "name": "Code Signing Certificates", "description": "Before compromising a victim, adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1587/002", "external_id": "T1587.002" }, { "source_name": "Wikipedia Code Signing", "description": "Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.", "url": "https://en.wikipedia.org/wiki/Code_signing" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--1cec9319-743b-4840-bb65-431547bce82a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:42:24.974000+00:00", "modified": "2020-10-22 18:18:08.422000+00:00", "name": "Digital Certificates", "description": "Before compromising a victim, adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).\n\nAdversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1587/003", "external_id": "T1587.003" }, { "source_name": "Splunk Kovar Certificates 2017", "description": "Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020.", "url": "https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "SSL/TLS certificates" ], "x_mitre_detection": "Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:48:15.511000+00:00", "modified": "2020-10-19 03:09:34.771000+00:00", "name": "Exploits", "description": "Before compromising a victim, adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)\n\nAs with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1587/004", "external_id": "T1587.004" }, { "source_name": "NYTStuxnet", "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.", "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" }, { "source_name": "Irongeek Sims BSides 2017", "description": "Stephen Sims. (2017, April 30). Microsoft Patch Analysis for Exploitation. Retrieved October 16, 2020.", "url": "https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:33:01.433000+00:00", "modified": "2020-10-22 13:05:43.492000+00:00", "name": "Malware", "description": "Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\n\nAs with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.\n\nSome aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1587/001", "external_id": "T1587.001" }, { "source_name": "Mandiant APT1", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" }, { "source_name": "Kaspersky Sofacy", "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" }, { "source_name": "ActiveMalwareEnergy", "description": "Dan Goodin. (2014, June 30). Active malware operation let attackers sabotage US energy industry. Retrieved March 9, 2017.", "url": "https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/" }, { "source_name": "FBI Flash FIN7 USB", "description": "Federal Bureau of Investigation, Cyber Division. (2020, March 26). FIN7 Cyber Actors Targeting US Businesses Through USB Keystroke Injection Attacks. Retrieved October 14, 2020.", "url": "https://www.losangeles.va.gov/documents/MI-000120-MW.pdf" }, { "source_name": "FireEye APT29", "description": "FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:05:42.216000+00:00", "modified": "2020-10-22 18:20:40.675000+00:00", "name": "Establish Accounts", "description": "Before compromising a victim, adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1585", "external_id": "T1585" }, { "source_name": "NEWSCASTER2014", "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" }, { "source_name": "BlackHatRobinSage", "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" }, { "source_name": "Mandiant APT1", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Social media monitoring" ], "x_mitre_detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:09:53.217000+00:00", "modified": "2020-10-14 00:48:47.515000+00:00", "name": "Email Accounts", "description": "Before compromising a victim, adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)\n\nTo decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1585/002", "external_id": "T1585.002" }, { "source_name": "Mandiant APT1", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" }, { "source_name": "Trend Micro R980 2016", "description": "Antazo, F. and Yambao, M. (2016, August 10). R980 Ransomware Found Abusing Disposable Email Address Service. Retrieved October 13, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:08:41.124000+00:00", "modified": "2020-10-20 17:58:13.557000+00:00", "name": "Social Media Accounts", "description": "Before compromising a victim, adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. \n\nOnce a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1585/001", "external_id": "T1585.001" }, { "source_name": "NEWSCASTER2014", "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" }, { "source_name": "BlackHatRobinSage", "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Social media monitoring" ], "x_mitre_detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:39:33.966000+00:00", "modified": "2020-10-24 03:53:39.351000+00:00", "name": "Gather Victim Host Information", "description": "Before compromising a victim, adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1592", "external_id": "T1592" }, { "source_name": "ATT ScanBox", "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.", "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:47:16.719000+00:00", "modified": "2020-10-24 03:52:10.774000+00:00", "name": "Client Configurations", "description": "Before compromising a victim, adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1592/004", "external_id": "T1592.004" }, { "source_name": "ATT ScanBox", "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.", "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:46:42.537000+00:00", "modified": "2020-10-24 03:52:36.854000+00:00", "name": "Firmware", "description": "Before compromising a victim, adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1592/003", "external_id": "T1592.003" }, { "source_name": "ArsTechnica Intel", "description": "Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel source code and proprietary data dumped online. Retrieved October 20, 2020.", "url": "https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:40:47.488000+00:00", "modified": "2020-10-24 03:53:03.353000+00:00", "name": "Hardware", "description": "Before compromising a victim, adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1592/001", "external_id": "T1592.001" }, { "source_name": "ATT ScanBox", "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.", "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:42:17.482000+00:00", "modified": "2020-10-24 03:53:39.162000+00:00", "name": "Software", "description": "Before compromising a victim, adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1592/002", "external_id": "T1592.002" }, { "source_name": "ATT ScanBox", "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.", "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 14:54:59.263000+00:00", "modified": "2020-10-27 02:27:31.387000+00:00", "name": "Gather Victim Identity Information", "description": "Before compromising a victim, adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1589", "external_id": "T1589" }, { "source_name": "OPM Leak", "description": "Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. Retrieved October 20, 2020.", "url": "https://www.opm.gov/cybersecurity/cybersecurity-incidents/" }, { "source_name": "Register Deloitte", "description": "Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020.", "url": "https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/" }, { "source_name": "Register Uber", "description": "McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020.", "url": "https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/" }, { "source_name": "Detectify Slack Tokens", "description": "Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020.", "url": "https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/" }, { "source_name": "Forbes GitHub Creds", "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.", "url": "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196" }, { "source_name": "GitHub truffleHog", "description": "Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020.", "url": "https://github.com/dxa4481/truffleHog" }, { "source_name": "GitHub Gitrob", "description": "Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020.", "url": "https://github.com/michenriksen/gitrob" }, { "source_name": "CNET Leaks", "description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.", "url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 14:55:43.815000+00:00", "modified": "2020-10-27 02:27:31.090000+00:00", "name": "Credentials", "description": "Before compromising a victim, adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1589/001", "external_id": "T1589.001" }, { "source_name": "ATT ScanBox", "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.", "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks" }, { "source_name": "Register Deloitte", "description": "Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020.", "url": "https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/" }, { "source_name": "Register Uber", "description": "McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020.", "url": "https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/" }, { "source_name": "Detectify Slack Tokens", "description": "Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020.", "url": "https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/" }, { "source_name": "Forbes GitHub Creds", "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.", "url": "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196" }, { "source_name": "GitHub truffleHog", "description": "Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020.", "url": "https://github.com/dxa4481/truffleHog" }, { "source_name": "GitHub Gitrob", "description": "Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020.", "url": "https://github.com/michenriksen/gitrob" }, { "source_name": "CNET Leaks", "description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.", "url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Vinayak Wadhwa, Lucideus", "Lee Christensen, SpecterOps", "Toby Kohlenberg" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 14:56:24.866000+00:00", "modified": "2020-10-24 03:46:04.662000+00:00", "name": "Email Addresses", "description": "Before compromising a victim, adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.\n\nAdversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1589/002", "external_id": "T1589.002" }, { "source_name": "HackersArise Email", "description": "Hackers Arise. (n.d.). Email Scraping and Maltego. Retrieved October 20, 2020.", "url": "https://www.hackers-arise.com/email-scraping-and-maltego" }, { "source_name": "CNET Leaks", "description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.", "url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 14:57:15.906000+00:00", "modified": "2020-10-24 03:46:29.173000+00:00", "name": "Employee Names", "description": "Before compromising a victim, adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.\n\nAdversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1589/003", "external_id": "T1589.003" }, { "source_name": "OPM Leak", "description": "Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. Retrieved October 20, 2020.", "url": "https://www.opm.gov/cybersecurity/cybersecurity-incidents/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 15:45:17.628000+00:00", "modified": "2020-10-25 22:58:23.086000+00:00", "name": "Gather Victim Network Information", "description": "Before compromising a victim, adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1590", "external_id": "T1590" }, { "source_name": "WHOIS", "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.", "url": "https://www.whois.net/" }, { "source_name": "DNS Dumpster", "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.", "url": "https://dnsdumpster.com/" }, { "source_name": "Circl Passive DNS", "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.", "url": "https://www.circl.lu/services/passive-dns/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 15:47:10.102000+00:00", "modified": "2020-10-24 04:02:39.701000+00:00", "name": "DNS", "description": "Before compromising a victim, adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target\u2019s subdomains, mail servers, and other hosts.\n\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1590/002", "external_id": "T1590.002" }, { "source_name": "DNS Dumpster", "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.", "url": "https://dnsdumpster.com/" }, { "source_name": "Circl Passive DNS", "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.", "url": "https://www.circl.lu/services/passive-dns/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 15:46:24.670000+00:00", "modified": "2020-10-25 22:58:22.915000+00:00", "name": "Domain Properties", "description": "Before compromising a victim, adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1590/001", "external_id": "T1590.001" }, { "source_name": "WHOIS", "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.", "url": "https://www.whois.net/" }, { "source_name": "DNS Dumpster", "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.", "url": "https://dnsdumpster.com/" }, { "source_name": "Circl Passive DNS", "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.", "url": "https://www.circl.lu/services/passive-dns/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 15:59:11.695000+00:00", "modified": "2020-10-24 04:03:29.213000+00:00", "name": "IP Addresses", "description": "Before compromising a victim, adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1590/005", "external_id": "T1590.005" }, { "source_name": "WHOIS", "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.", "url": "https://www.whois.net/" }, { "source_name": "DNS Dumpster", "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.", "url": "https://dnsdumpster.com/" }, { "source_name": "Circl Passive DNS", "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.", "url": "https://www.circl.lu/services/passive-dns/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:01:35.350000+00:00", "modified": "2020-10-24 04:04:13.578000+00:00", "name": "Network Security Appliances", "description": "Before compromising a victim, adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1590/006", "external_id": "T1590.006" }, { "source_name": "Nmap Firewalls NIDS", "description": "Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems. Retrieved October 20, 2020.", "url": "https://nmap.org/book/firewalls.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 15:49:03.815000+00:00", "modified": "2020-10-24 04:04:40.188000+00:00", "name": "Network Topology", "description": "Before compromising a victim, adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1590/004", "external_id": "T1590.004" }, { "source_name": "DNS Dumpster", "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.", "url": "https://dnsdumpster.com/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 15:47:59.457000+00:00", "modified": "2020-10-24 04:05:03.816000+00:00", "name": "Network Trust Dependencies", "description": "Before compromising a victim, adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1590/003", "external_id": "T1590.003" }, { "source_name": "Pentesting AD Forests", "description": "Garc\u00eda, C. (2019, April 3). Pentesting Active Directory Forests. Retrieved October 20, 2020.", "url": "https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:27:02.339000+00:00", "modified": "2020-10-24 04:10:36.479000+00:00", "name": "Gather Victim Org Information", "description": "Before compromising a victim, adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1591", "external_id": "T1591" }, { "source_name": "ThreatPost Broadvoice Leak", "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.", "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/" }, { "source_name": "DOB Business Lookup", "description": "Concert Technologies . (n.d.). Business Lookup - Company Name Search. Retrieved October 20, 2020.", "url": "https://www.dobsearch.com/business-lookup/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:27:55.713000+00:00", "modified": "2020-10-24 04:08:59.209000+00:00", "name": "Business Relationships", "description": "Before compromising a victim, adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization\u2019s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim\u2019s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1591/002", "external_id": "T1591.002" }, { "source_name": "ThreatPost Broadvoice Leak", "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.", "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:32:33.126000+00:00", "modified": "2020-10-24 04:09:48.419000+00:00", "name": "Determine Physical Locations", "description": "Before compromising a victim, adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1591/001", "external_id": "T1591.001" }, { "source_name": "ThreatPost Broadvoice Leak", "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.", "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/" }, { "source_name": "DOB Business Lookup", "description": "Concert Technologies . (n.d.). Business Lookup - Company Name Search. Retrieved October 20, 2020.", "url": "https://www.dobsearch.com/business-lookup/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:34:32.435000+00:00", "modified": "2020-10-24 04:10:12.352000+00:00", "name": "Identify Business Tempo", "description": "Before compromising a victim, adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization\u2019s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim\u2019s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1591/003", "external_id": "T1591.003" }, { "source_name": "ThreatPost Broadvoice Leak", "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.", "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:37:30.015000+00:00", "modified": "2020-10-24 04:10:36.279000+00:00", "name": "Identify Roles", "description": "Before compromising a victim, adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1591/004", "external_id": "T1591.004" }, { "source_name": "ThreatPost Broadvoice Leak", "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.", "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-17 12:51:40.845000+00:00", "modified": "2020-09-23 11:31:50.407000+00:00", "name": "VBA Stomping", "description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero\u2019s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1564/007", "external_id": "T1564.007" }, { "source_name": "FireEye VBA stomp Feb 2020", "description": "Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html" }, { "source_name": "Evil Clippy May 2019", "description": "Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. Retrieved September 17, 2020.", "url": "https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/" }, { "source_name": "Microsoft _VBA_PROJECT Stream", "description": "Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream: Version Dependent Project Information. Retrieved September 18, 2020.", "url": "https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239" }, { "source_name": "Walmart Roberts Oct 2018", "description": "Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping \u2014 Advanced Maldoc Techniques. Retrieved September 17, 2020.", "url": "https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278" }, { "source_name": "pcodedmp Bontchev", "description": "Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020.", "url": "https://github.com/bontchev/pcodedmp" }, { "source_name": "oletools toolkit", "description": "decalage2. (2019, December 3). python-oletools. Retrieved September 18, 2020.", "url": "https://github.com/decalage2/oletools" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Rick Cole, FireEye" ], "x_mitre_data_sources": [ "Process monitoring", "File monitoring" ], "x_mitre_detection": "Detection efforts should be placed finding differences between VBA source code and p-code.(Citation: Walmart Roberts Oct 2018) VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.(Citation: pcodedmp Bontchev)(Citation: oletools toolkit)\n\nIf the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.(Citation: FireEye VBA stomp Feb 2020)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_system_requirements": [ "MS Office version specified in _VBA_PROJECT stream must match host" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-12 13:52:32.846000+00:00", "modified": "2020-10-19 16:31:34.489000+00:00", "name": "Disable Cloud Logs", "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. \n\nCloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1562/008", "external_id": "T1562.008" }, { "source_name": "Following the CloudTrail: Generating strong AWS security signals with Sumo Logic", "description": "Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020.", "url": "https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/" }, { "source_name": "Stopping CloudTrail from Sending Events to CloudWatch Logs", "description": "Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.", "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html" }, { "source_name": "Configuring Data Access audit logs", "description": "Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.", "url": "https://cloud.google.com/logging/docs/audit/configure-data-access" }, { "source_name": "az monitor diagnostic-settings", "description": "Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020.", "url": "https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Ibrahim Ali Khan", "AttackIQ", "Janantha Marasinghe", "Sekhar Sarukkai; Prasad Somasamudram; Syed Ummar Farooqh (McAfee) ", "Matt Snyder, VMware" ], "x_mitre_data_sources": [ "AWS CloudTrail logs", "Azure activity logs", "GCP audit logs" ], "x_mitre_detection": "Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs) In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "GCP", "Azure", "AWS" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-15 12:05:58.755000+00:00", "modified": "2020-10-16 15:22:11.604000+00:00", "name": "ARP Cache Poisoning", "description": "Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\n\nThe ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.\n\nAn adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.\n\nThe ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)\n\nAdversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)\n", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1557/002", "external_id": "T1557.002" }, { "source_name": "RFC826 ARP", "description": "Plummer, D. (1982, November). An Ethernet Address Resolution Protocol. Retrieved October 15, 2020.", "url": "https://tools.ietf.org/html/rfc826" }, { "source_name": "Sans ARP Spoofing Aug 2003", "description": "Siles, R. (2003, August). Real World ARP Spoofing. Retrieved October 15, 2020.", "url": "https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411" }, { "source_name": "Cylance Cleaver", "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Jon Sternstein, Stern Security" ], "x_mitre_data_sources": [ "Packet capture", "Netflow/Enclave netflow" ], "x_mitre_detection": "Monitor network traffic for unusual ARP traffic, gratuitous ARP replies may be suspicious. \n\nConsider collecting changes to ARP caches across endpoints for signs of ARP poisoning. For example, if multiple IP addresses map to a single MAC address, this could be an indicator that the ARP cache has been poisoned.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 17:58:04.155000+00:00", "modified": "2020-10-21 02:41:11.550000+00:00", "name": "Network Device Authentication", "description": "Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\n\n[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1556/004", "external_id": "T1556.004" }, { "source_name": "FireEye - Synful Knock", "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html" }, { "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.", "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" }, { "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.", "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring" ], "x_mitre_detection": "Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nDetection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601).", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 19:42:19.740000+00:00", "modified": "2020-10-22 17:50:47.635000+00:00", "name": "Modify System Image", "description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\n\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1601", "external_id": "T1601" }, { "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.", "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" }, { "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.", "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Network device run-time memory", "Network device configuration", "File monitoring" ], "x_mitre_detection": "Most embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because this method may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. \n\nCompare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised. (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 19:53:10.576000+00:00", "modified": "2020-10-22 17:49:02.660000+00:00", "name": "Downgrade System Image", "description": "Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001). ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1601/002", "external_id": "T1601.002" }, { "source_name": "Cisco Synful Knock Evolution", "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Network device configuration", "File monitoring" ], "x_mitre_detection": "Many embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because image downgrade may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. ", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 19:49:24.129000+00:00", "modified": "2020-10-22 17:50:46.560000+00:00", "name": "Patch System Image", "description": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.\n\nTo change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.\n\nIn the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.\n\nBy modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the adversary\u2019s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. \n\nWhen the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). \n\nWhen the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1601/001", "external_id": "T1601.001" }, { "source_name": "Killing the myth of Cisco IOS rootkits", "description": "Sebastian 'topo' Mu\u00f1iz. (2008, May). Killing the myth of Cisco IOS rootkits. Retrieved October 20, 2020.", "url": "https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf" }, { "source_name": "Killing IOS diversity myth", "description": "Ang Cui, Jatin Kataria, Salvatore J. Stolfo. (2011, August). Killing the myth of Cisco IOS diversity: recent advances in reliable shellcode design. Retrieved October 20, 2020.", "url": "https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf" }, { "source_name": "Cisco IOS Shellcode", "description": "George Nosenko. (2015). CISCO IOS SHELLCODE: ALL-IN-ONE. Retrieved October 21, 2020.", "url": "http://2015.zeronights.org/assets/files/05-Nosenko.pdf" }, { "source_name": "Cisco IOS Forensics Developments", "description": "Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS Forensics. Retrieved October 21, 2020.", "url": "https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf" }, { "source_name": "Juniper Netscreen of the Dead", "description": "Graeme Neilson . (2009, August). Juniper Netscreen of the Dead. Retrieved October 20, 2020.", "url": "https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf" }, { "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.", "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" }, { "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.", "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Network device run-time memory", "Network device configuration", "File monitoring" ], "x_mitre_detection": "Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 16:08:29.817000+00:00", "modified": "2020-10-21 01:45:59.246000+00:00", "name": "Network Boundary Bridging", "description": "Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nDevices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.\n\nWhen an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1599", "external_id": "T1599" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "Packet capture" ], "x_mitre_defense_bypassed": [ "Router ACL", "Firewall" ], "x_mitre_detection": "Consider monitoring network traffic on both interfaces of border network devices with out-of-band packet capture or network flow data, using a different device than the one in question. Look for traffic that should be prohibited by the intended network traffic policy enforcement for the border network device.\n\nMonitor the border network device\u2019s configuration to validate that the policy enforcement sections are what was intended. Look for rules that are less restrictive, or that allow specific traffic types that were not previously authorized.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 16:48:08.241000+00:00", "modified": "2020-10-21 01:45:58.951000+00:00", "name": "Network Address Translation Traversal", "description": "Adversaries may bridge network boundaries by modifying a network device\u2019s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1599/001", "external_id": "T1599.001" }, { "source_name": "RFC1918", "description": "IETF Network Working Group. (1996, February). Address Allocation for Private Internets. Retrieved October 20, 2020.", "url": "https://tools.ietf.org/html/rfc1918" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "Packet capture" ], "x_mitre_detection": "Consider monitoring network traffic on both interfaces of border network devices. Compare packets transmitted by the device between networks to look for signs of NAT being implemented. Packets which have their IP addresses changed should still have the same size and contents in the data encapsulated beyond Layer 3. In some cases, Port Address Translation (PAT) may also be used by an adversary.\n\nMonitor the border network device\u2019s configuration to determine if any unintended NAT rules have been added without authorization.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 01:56:24.776000+00:00", "modified": "2020-10-22 18:22:21.135000+00:00", "name": "Obtain Capabilities", "description": "Before compromising a victim, adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.\n\nIn addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)\n\nIn addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1588", "external_id": "T1588" }, { "source_name": "NationsBuying", "description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.", "url": "https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html" }, { "source_name": "PegasusCitizenLab", "description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.", "url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" }, { "source_name": "DiginotarCompromise", "description": "Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.", "url": "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 02:11:47.237000+00:00", "modified": "2020-10-22 18:22:21.007000+00:00", "name": "Code Signing Certificates", "description": "Before compromising a victim, adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1588/003", "external_id": "T1588.003" }, { "source_name": "Wikipedia Code Signing", "description": "Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.", "url": "https://en.wikipedia.org/wiki/Code_signing" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 02:14:18.044000+00:00", "modified": "2020-10-22 18:18:54.959000+00:00", "name": "Digital Certificates", "description": "Before compromising a victim, adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\n\nAdversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise)\n\nCertificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\n\nAdversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1588/004", "external_id": "T1588.004" }, { "source_name": "DiginotarCompromise", "description": "Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.", "url": "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/" }, { "source_name": "Let's Encrypt FAQ", "description": "Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved October 15, 2020.", "url": "https://letsencrypt.org/docs/faq/" }, { "source_name": "Splunk Kovar Certificates 2017", "description": "Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020.", "url": "https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html" }, { "source_name": "Recorded Future Beacon Certificates", "description": "Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers. Retrieved October 16, 2020.", "url": "https://www.recordedfuture.com/cobalt-strike-servers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "SSL/TLS certificates" ], "x_mitre_detection": "Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 02:17:46.086000+00:00", "modified": "2020-10-18 21:47:09.385000+00:00", "name": "Exploits", "description": "Before compromising a victim, adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)\n\nIn addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)\n\nAn adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1588/005", "external_id": "T1588.005" }, { "source_name": "Exploit Database", "description": "Offensive Security. (n.d.). Exploit Database. Retrieved October 15, 2020.", "url": "https://www.exploit-db.com/" }, { "source_name": "TempertonDarkHotel", "description": "Temperton, J. (2015, August 10). Hacking Team zero-day used in new Darkhotel attacks. Retrieved March 9, 2017.", "url": "https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage" }, { "source_name": "NationsBuying", "description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.", "url": "https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html" }, { "source_name": "PegasusCitizenLab", "description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.", "url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" }, { "source_name": "Wired SandCat Oct 2019", "description": "Zetter, K. (2019, October 3). Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved October 15, 2020.", "url": "https://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 02:06:11.499000+00:00", "modified": "2020-10-15 20:46:54.437000+00:00", "name": "Malware", "description": "Before compromising a victim, adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.\n\nIn addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1588/001", "external_id": "T1588.001" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 02:08:33.977000+00:00", "modified": "2020-10-20 14:46:37.477000+00:00", "name": "Tool", "description": "Before compromising a victim, adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)\n\nAdversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1588/002", "external_id": "T1588.002" }, { "source_name": "Recorded Future Beacon 2019", "description": "Recorded Future. (2019, June 20). Out of the Blue: How Recorded Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.", "url": "https://www.recordedfuture.com/identifying-cobalt-strike-servers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-15 02:59:38.628000+00:00", "modified": "2020-10-16 01:54:39.868000+00:00", "name": "Vulnerabilities", "description": "Before compromising a victim, adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)\n\nAn adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1588/006", "external_id": "T1588.006" }, { "source_name": "National Vulnerability Database", "description": "National Vulnerability Database. (n.d.). National Vulnerability Database. Retrieved October 15, 2020.", "url": "https://nvd.nist.gov/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 17:07:01.502000+00:00", "modified": "2020-10-25 19:44:58.292000+00:00", "name": "Phishing for Information", "description": "Before compromising a victim, adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1598", "external_id": "T1598" }, { "source_name": "ThreatPost Social Media Phishing", "description": "O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.", "url": "https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/" }, { "source_name": "TrendMictro Phishing", "description": "Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.", "url": "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html" }, { "source_name": "PCMag FakeLogin", "description": "Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.", "url": "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages" }, { "source_name": "Sophos Attachment", "description": "Ducklin, P. (2020, October 2). Serious Security: Phishing without links \u2013 when phishers bring along their own web pages. Retrieved October 20, 2020.", "url": "https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/" }, { "source_name": "GitHub Phishery", "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.", "url": "https://github.com/ryhanson/phishery" }, { "source_name": "Microsoft Anti Spoofing", "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" }, { "source_name": "ACSC Email Spoofing", "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Sebastian Salla, McAfee", "Robert Simmons" ], "x_mitre_data_sources": [ "Social media monitoring", "Mail server", "Email gateway" ], "x_mitre_detection": "Depending on the specific method of spearphishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nWhen it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.\n\nMonitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 17:08:57.386000+00:00", "modified": "2020-10-24 04:12:48.152000+00:00", "name": "Spearphishing Attachment", "description": "Before compromising a victim, adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1598/002", "external_id": "T1598.002" }, { "source_name": "Sophos Attachment", "description": "Ducklin, P. (2020, October 2). Serious Security: Phishing without links \u2013 when phishers bring along their own web pages. Retrieved October 20, 2020.", "url": "https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/" }, { "source_name": "GitHub Phishery", "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.", "url": "https://github.com/ryhanson/phishery" }, { "source_name": "Microsoft Anti Spoofing", "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" }, { "source_name": "ACSC Email Spoofing", "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Sebastian Salla, McAfee", "Robert Simmons" ], "x_mitre_data_sources": [ "Mail server", "Email gateway" ], "x_mitre_detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 17:09:50.723000+00:00", "modified": "2020-10-24 04:13:12.752000+00:00", "name": "Spearphishing Link", "description": "Before compromising a victim, adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1598/003", "external_id": "T1598.003" }, { "source_name": "TrendMictro Phishing", "description": "Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.", "url": "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html" }, { "source_name": "PCMag FakeLogin", "description": "Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.", "url": "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages" }, { "source_name": "Microsoft Anti Spoofing", "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" }, { "source_name": "ACSC Email Spoofing", "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Sebastian Salla, McAfee", "Robert Simmons" ], "x_mitre_data_sources": [ "Mail server", "Email gateway" ], "x_mitre_detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nMonitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 17:08:07.742000+00:00", "modified": "2020-10-25 19:44:58.093000+00:00", "name": "Spearphishing Service", "description": "Before compromising a victim, adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1598/001", "external_id": "T1598.001" }, { "source_name": "ThreatPost Social Media Phishing", "description": "O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.", "url": "https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Robert Simmons" ], "x_mitre_detection": "Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-20 00:05:48.790000+00:00", "modified": "2020-10-22 02:18:19.568000+00:00", "name": "ROMMONkit", "description": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)\n\n\nROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1542/004", "external_id": "T1542.004" }, { "source_name": "Cisco Synful Knock Evolution", "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring", "Netflow/Enclave netflow", "Network protocol analysis", "Packet capture" ], "x_mitre_detection": "There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-20 00:06:56.180000+00:00", "modified": "2020-10-22 16:35:53.806000+00:00", "name": "TFTP Boot", "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\n\nAdversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1542/005", "external_id": "T1542.005" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" }, { "source_name": "Cisco IOS Software Integrity Assurance - Secure Boot", "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020.", "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#35" }, { "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.", "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" }, { "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.", "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13" }, { "source_name": "Cisco IOS Software Integrity Assurance - Command History", "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.", "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#23" }, { "source_name": "Cisco IOS Software Integrity Assurance - Boot Information", "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot Information. Retrieved October 21, 2020.", "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#26" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Network device run-time memory", "Network device command history", "Network device configuration", "File monitoring", "Network device logs" ], "x_mitre_detection": "Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nReview command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-12 17:50:31.584000+00:00", "modified": "2020-10-14 15:20:00.754000+00:00", "name": "Systemd Timers", "description": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020)\n\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1053/006", "external_id": "T1053.006" }, { "source_name": "archlinux Systemd Timers Aug 2020", "description": "archlinux. (2020, August 11). systemd/Timers. Retrieved October 12, 2020.", "url": "https://wiki.archlinux.org/index.php/Systemd/Timers" }, { "source_name": "Linux man-pages: systemd January 2014", "description": "Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.", "url": "http://man7.org/linux/man-pages/man1/systemd.1.html" }, { "source_name": "Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018", "description": "Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.", "url": "https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/" }, { "source_name": "gist Arch package compromise 10JUL2018", "description": "Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019.", "url": "https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a" }, { "source_name": "acroread package compromised Arch Linux Mail 8JUL2018", "description": "Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.", "url": "https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "SarathKumar Rajendran, Trimble Inc" ], "x_mitre_data_sources": [ "File monitoring", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of \u2018systemd\u2019, a parent process ID of 1, and will usually execute as the \u2018root\u2019 user.\n\nSuspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers \u2013all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.\n\nAudit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User", "root" ], "x_mitre_platforms": [ "Linux" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 17:01:42.558000+00:00", "modified": "2020-10-24 04:15:53.892000+00:00", "name": "Search Closed Sources", "description": "Before compromising a victim, adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)\n\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1597", "external_id": "T1597" }, { "source_name": "D3Secutrity CTI Feeds", "description": "Banerd, W. (2019, April 30). 10 of the Best Open Source Threat Intelligence Feeds. Retrieved October 20, 2020.", "url": "https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/" }, { "source_name": "ZDNET Selling Data", "description": "Cimpanu, C. (2020, May 9). A hacker group is selling more than 73 million user records on the dark web. Retrieved October 20, 2020.", "url": "https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 17:05:43.562000+00:00", "modified": "2020-10-24 04:15:26.840000+00:00", "name": "Purchase Technical Data", "description": "Before compromising a victim, adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.\n\nAdversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim\u2019s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1597/002", "external_id": "T1597.002" }, { "source_name": "ZDNET Selling Data", "description": "Cimpanu, C. (2020, May 9). A hacker group is selling more than 73 million user records on the dark web. Retrieved October 20, 2020.", "url": "https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 17:03:45.918000+00:00", "modified": "2020-10-24 04:15:53.678000+00:00", "name": "Threat Intel Vendors", "description": "Before compromising a victim, adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)\n\nAdversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1597/001", "external_id": "T1597.001" }, { "source_name": "D3Secutrity CTI Feeds", "description": "Banerd, W. (2019, April 30). 10 of the Best Open Source Threat Intelligence Feeds. Retrieved October 20, 2020.", "url": "https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:56:05.810000+00:00", "modified": "2020-10-24 04:20:44.166000+00:00", "name": "Search Open Technical Databases", "description": "Before compromising a victim, adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)\n\nAdversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1596", "external_id": "T1596" }, { "source_name": "WHOIS", "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.", "url": "https://www.whois.net/" }, { "source_name": "DNS Dumpster", "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.", "url": "https://dnsdumpster.com/" }, { "source_name": "Circl Passive DNS", "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.", "url": "https://www.circl.lu/services/passive-dns/" }, { "source_name": "Medium SSL Cert", "description": "Jain, M. (2019, September 16). Export & Download \u2014 SSL Certificate from Server (Site URL). Retrieved October 20, 2020.", "url": "https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2" }, { "source_name": "SSLShopper Lookup", "description": "SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020.", "url": "https://www.sslshopper.com/ssl-checker.html" }, { "source_name": "DigitalShadows CDN", "description": "Swisscom & Digital Shadows. (2017, September 6). Content Delivery Networks (CDNs) Can Leave You Exposed \u2013 How You Might Be Affected And What You Can Do About It. Retrieved October 20, 2020.", "url": "https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/" }, { "source_name": "Shodan", "description": "Shodan. (n.d.). Shodan. Retrieved October 20, 2020.", "url": "https://shodan.io" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:59:56.648000+00:00", "modified": "2020-10-24 04:17:09.684000+00:00", "name": "CDNs", "description": "Before compromising a victim, adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor\u2019s geographical region.\n\nAdversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization\u2019s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1596/004", "external_id": "T1596.004" }, { "source_name": "DigitalShadows CDN", "description": "Swisscom & Digital Shadows. (2017, September 6). Content Delivery Networks (CDNs) Can Leave You Exposed \u2013 How You Might Be Affected And What You Can Do About It. Retrieved October 20, 2020.", "url": "https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:57:45.044000+00:00", "modified": "2020-10-24 04:19:40.584000+00:00", "name": "DNS/Passive DNS", "description": "Before compromising a victim, adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target\u2019s subdomains, mail servers, and other hosts.\n\nAdversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1596/001", "external_id": "T1596.001" }, { "source_name": "DNS Dumpster", "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.", "url": "https://dnsdumpster.com/" }, { "source_name": "Circl Passive DNS", "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.", "url": "https://www.circl.lu/services/passive-dns/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:58:58.738000+00:00", "modified": "2020-10-24 04:19:15.289000+00:00", "name": "Digital Certificates", "description": "Before compromising a victim, adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.\n\nAdversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1596/003", "external_id": "T1596.003" }, { "source_name": "SSLShopper Lookup", "description": "SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020.", "url": "https://www.sslshopper.com/ssl-checker.html" }, { "source_name": "Medium SSL Cert", "description": "Jain, M. (2019, September 16). Export & Download \u2014 SSL Certificate from Server (Site URL). Retrieved October 20, 2020.", "url": "https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 17:00:44.586000+00:00", "modified": "2020-10-24 04:20:18.786000+00:00", "name": "Scan Databases", "description": "Before compromising a victim, adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)\n\nAdversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1596/005", "external_id": "T1596.005" }, { "source_name": "Shodan", "description": "Shodan. (n.d.). Shodan. Retrieved October 20, 2020.", "url": "https://shodan.io" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:56:49.744000+00:00", "modified": "2020-10-24 04:20:43.941000+00:00", "name": "WHOIS", "description": "Before compromising a victim, adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)\n\nAdversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1596/002", "external_id": "T1596.002" }, { "source_name": "WHOIS", "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.", "url": "https://www.whois.net/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:48:04.509000+00:00", "modified": "2020-10-24 04:22:46.374000+00:00", "name": "Search Open Websites/Domains", "description": "Before compromising a victim, adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1593", "external_id": "T1593" }, { "source_name": "Cyware Social Media", "description": "Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020.", "url": "https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e" }, { "source_name": "SecurityTrails Google Hacking", "description": "Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved October 20, 2020.", "url": "https://securitytrails.com/blog/google-hacking-techniques" }, { "source_name": "ExploitDB GoogleHacking", "description": "Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020.", "url": "https://www.exploit-db.com/google-hacking-database" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:50:12.809000+00:00", "modified": "2020-10-24 04:22:11.245000+00:00", "name": "Search Engines", "description": "Before compromising a victim, adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1593/002", "external_id": "T1593.002" }, { "source_name": "SecurityTrails Google Hacking", "description": "Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved October 20, 2020.", "url": "https://securitytrails.com/blog/google-hacking-techniques" }, { "source_name": "ExploitDB GoogleHacking", "description": "Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020.", "url": "https://www.exploit-db.com/google-hacking-database" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:49:31.262000+00:00", "modified": "2020-10-24 04:22:46.235000+00:00", "name": "Social Media", "description": "Before compromising a victim, adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.\n\nAdversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim\u2019s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1593/001", "external_id": "T1593.001" }, { "source_name": "Cyware Social Media", "description": "Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020.", "url": "https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-02 16:51:50.306000+00:00", "modified": "2020-10-24 04:23:37.282000+00:00", "name": "Search Victim-Owned Websites", "description": "Before compromising a victim, adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1594", "external_id": "T1594" }, { "source_name": "Comparitech Leak", "description": "Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020.", "url": "https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Web logs" ], "x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-08-10 13:59:38.443000+00:00", "modified": "2020-08-19 19:29:18.138000+00:00", "name": "Verclsid", "description": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)\n\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1218/012", "external_id": "T1218.012" }, { "source_name": "WinOSBite verclsid.exe", "description": "verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block\u00a0. Retrieved August 10, 2020.", "url": "https://www.winosbite.com/verclsid-exe/\u00a0" }, { "source_name": "LOLBAS Verclsid", "description": "LOLBAS. (n.d.). Verclsid.exe. Retrieved August 10, 2020.", "url": "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/" }, { "source_name": "Red Canary Verclsid.exe", "description": "Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020.", "url": "https://redcanary.com/blog/verclsid-exe-threat-detection/" }, { "source_name": "BOHOPS Abusing the COM Registry", "description": "BOHOPS. (2018, August 18). Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020.", "url": "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" }, { "source_name": "Nick Tyrer GitHub", "description": "Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020.", "url": "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Rodrigo Garcia, Red Canary" ], "x_mitre_data_sources": [ "Process use of network", "Process command-line parameters", "Process monitoring", "File monitoring" ], "x_mitre_defense_bypassed": [ "Application control", "Digital Certificate Validation" ], "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-08-24 13:43:00.028000+00:00", "modified": "2020-10-20 19:30:11.783000+00:00", "name": "AS-REP Roasting", "description": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) \n\nPreauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password.(Citation: Microsoft Kerberos Preauth 2014)\n\nFor each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) \n\nAn account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1558/004", "external_id": "T1558.004" }, { "source_name": "Harmj0y Roasting AS-REPs Jan 2017", "description": "HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August 24, 2020.", "url": "http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/" }, { "source_name": "Microsoft Kerberos Preauth 2014", "description": "Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why It Should Not Be Disabled. Retrieved August 25, 2020.", "url": "https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx" }, { "source_name": "Stealthbits Cracking AS-REP Roasting Jun 2019", "description": "Jeff Warren. (2019, June 27). Cracking Active Directory Passwords with AS-REP Roasting. Retrieved August 24, 2020.", "url": "https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/" }, { "source_name": "SANS Attacking Kerberos Nov 2014", "description": "Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.", "url": "https://redsiege.com/kerberoast-slides" }, { "source_name": "AdSecurity Cracking Kerberos Dec 2015", "description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.", "url": "https://adsecurity.org/?p=2293" }, { "source_name": "Microsoft Detecting Kerberoasting Feb 2018", "description": "Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.", "url": "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/" }, { "source_name": "Microsoft 4768 TGT 2017", "description": "Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication ticket (TGT) was requested. Retrieved August 24, 2020.", "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "James Dunn, @jamdunnDFW, EY", "Swapnil Kumbhar", "Jacques Pluviose, @Jacqueswildy_IT", "Dan Nutting, @KerberToast" ], "x_mitre_data_sources": [ "Windows event logs", "Authentication logs" ], "x_mitre_detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: Microsoft 4768 TGT 2017)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_system_requirements": [ "Valid domain account" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 18:47:08.759000+00:00", "modified": "2020-10-21 22:37:49.258000+00:00", "name": "Weaken Encryption", "description": "Adversaries may compromise a network device\u2019s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)\n\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\n\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device\u2019s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1600", "external_id": "T1600" }, { "source_name": "Cisco Synful Knock Evolution", "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring" ], "x_mitre_defense_bypassed": [ "Encryption" ], "x_mitre_detection": "There is no documented method for defenders to directly identify behaviors that weaken encryption. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601). Some detection methods require vendor support to aid in investigation.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 19:11:18.757000+00:00", "modified": "2020-10-21 22:37:48.503000+00:00", "name": "Disable Crypto Hardware", "description": "Adversaries disable a network device\u2019s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\n\nMany network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1600/002", "external_id": "T1600.002" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring" ], "x_mitre_detection": "There is no documented method for defenders to directly identify behaviors that disable cryptographic hardware. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 19:03:48.310000+00:00", "modified": "2020-10-21 22:36:22.369000+00:00", "name": "Reduce Key Space", "description": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)\n\nAdversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.\n\nAdversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1600/001", "external_id": "T1600.001" }, { "source_name": "Cisco Synful Knock Evolution", "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring" ], "x_mitre_detection": "There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" } ], "major_version_changes": [ { "type": "attack-pattern", "id": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-30 14:24:34.977000+00:00", "modified": "2020-07-22 21:36:52.458000+00:00", "name": "Bypass User Account Control", "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1548/002", "external_id": "T1548.002" }, { "source_name": "TechNet How UAC Works", "description": "Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.", "url": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works" }, { "source_name": "TechNet Inside UAC", "description": "Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.", "url": "https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx" }, { "source_name": "MSDN COM Elevation", "description": "Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.", "url": "https://msdn.microsoft.com/en-us/library/ms679687.aspx" }, { "source_name": "Davidson Windows", "description": "Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.", "url": "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html" }, { "source_name": "Github UACMe", "description": "UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.", "url": "https://github.com/hfiref0x/UACME" }, { "source_name": "enigma0x3 Fileless UAC Bypass", "description": "Nelson, M. (2016, August 15). \"Fileless\" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.", "url": "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/" }, { "source_name": "Fortinet Fareit", "description": "Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.", "url": "https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware" }, { "source_name": "SANS UAC Bypass", "description": "Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.", "url": "http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass" }, { "source_name": "enigma0x3 sdclt app paths", "description": "Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.", "url": "https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/" }, { "source_name": "enigma0x3 sdclt bypass", "description": "Nelson, M. (2017, March 17). \"Fileless\" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017.", "url": "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Stefan Kanthak", "Casey Smith" ], "x_mitre_data_sources": [ "Windows Registry", "Process command-line parameters", "Process monitoring" ], "x_mitre_defense_bypassed": [ "Windows User Account Control" ], "x_mitre_detection": "There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes.\n\nSome UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:\n\n* The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Classes\\mscfile\\shell\\open\\command Registry key.(Citation: enigma0x3 Fileless UAC Bypass)\n\n* The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe and [HKEY_CURRENT_USER]\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass)\n\nAnalysts should monitor these Registry settings for unauthorized changes.", "x_mitre_effective_permissions": [ "Administrator" ], "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "2.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-07-22 21:36:52.458000+00:00\", \"old_value\": \"2020-06-25 19:57:54.510000+00:00\"}, \"root['name']\": {\"new_value\": \"Bypass User Account Control\", \"old_value\": \"Bypass User Access Control\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 2.0", "changelog_mitigations": { "shared": [ "M1026: Privileged Account Management", "M1047: Audit", "M1051: Update Software", "M1052: User Account Control" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-19 16:10:15.008000+00:00", "modified": "2020-10-05 16:43:27.024000+00:00", "name": "Additional Cloud Credentials", "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nAdversaries may add credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals)\n\nAfter gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1098/001", "external_id": "T1098.001" }, { "source_name": "Create Azure Service Principal", "description": "Microsoft. (2020, January 8). Create an Azure service principal with Azure CLI. Retrieved January 19, 2020.", "url": "https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?toc=%2Fazure%2Fazure-resource-manager%2Ftoc.json&view=azure-cli-latest" }, { "source_name": "Blue Cloud of Death", "description": "Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.", "url": "https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1" }, { "source_name": "Blue Cloud of Death Video", "description": "Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.", "url": "https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815" }, { "source_name": "Why AAD Service Principals", "description": "Microsoft. (2019, September 23). Azure Superpowers Lab Manual. Retrieved January 19, 2020.", "url": "https://github.com/microsoft/AzureSuperpowers/blob/master/docs/AzureSuperpowers.md#why-aad-service-principals" }, { "source_name": "Demystifying Azure AD Service Principals", "description": "Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020.", "url": "https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/" }, { "source_name": "GCP SSH Key Add", "description": "Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020.", "url": "https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add" }, { "source_name": "Expel IO Evil in AWS", "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.", "url": "https://expel.io/blog/finding-evil-in-aws/" }, { "source_name": "Expel Behind the Scenes", "description": "S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020.", "url": "https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Expel", "Oleg Kolesnikov, Securonix", "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)" ], "x_mitre_data_sources": [ "Stackdriver logs", "GCP audit logs", "AWS CloudTrail logs", "Azure activity logs" ], "x_mitre_detection": "Monitor Azure Activity Logs for service principal modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_platforms": [ "Azure AD", "Azure", "AWS", "GCP" ], "x_mitre_version": "2.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-05 16:43:27.024000+00:00\", \"old_value\": \"2020-07-15 12:43:36.340000+00:00\"}, \"root['name']\": {\"new_value\": \"Additional Cloud Credentials\", \"old_value\": \"Additional Azure Service Principal Credentials\"}, \"root['description']\": {\"new_value\": \"Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\\n\\nAdversaries may add credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals)\\n\\nAfter gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\", \"old_value\": \"Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to maintain persistent access to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals)\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,5 @@\\n-Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to maintain persistent access to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals)\\n+Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\\n+\\n+Adversaries may add credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals)\\n+\\n+After gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor Azure Activity Logs for service principal modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.\\n\\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.\", \"old_value\": \"Monitor Azure Activity Logs for service principal modifications.\\n\\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Monitor Azure Activity Logs for service principal modifications.\\n+Monitor Azure Activity Logs for service principal modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.\\n \\n Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"GCP SSH Key Add\", \"description\": \"Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020.\", \"url\": \"https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add\"}, \"root['external_references'][7]\": {\"source_name\": \"Expel IO Evil in AWS\", \"description\": \"A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.\", \"url\": \"https://expel.io/blog/finding-evil-in-aws/\"}, \"root['external_references'][8]\": {\"source_name\": \"Expel Behind the Scenes\", \"description\": \"S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020.\", \"url\": \"https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/\"}, \"root['x_mitre_contributors'][0]\": \"Expel\", \"root['x_mitre_data_sources'][0]\": \"Stackdriver logs\", \"root['x_mitre_data_sources'][1]\": \"GCP audit logs\", \"root['x_mitre_data_sources'][2]\": \"AWS CloudTrail logs\", \"root['x_mitre_permissions_required'][1]\": \"User\", \"root['x_mitre_platforms'][2]\": \"AWS\", \"root['x_mitre_platforms'][3]\": \"GCP\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may add adversary-controlled credentials for Azut1Adversaries may add adversary-controlled credentials to a cl
>re Service Principals in addition to existing legitimate cre>oud account to maintain persistent access to victim accounts
>dentials(Citation: Create Azure Service Principal) to mainta> and instances within the environment.  Adversaries may add 
>in persistent access to victim Azure accounts.(Citation: Blu>credentials for Azure Service Principals in addition to exis
>e Cloud of Death)(Citation: Blue Cloud of Death Video) Azure>ting legitimate credentials(Citation: Create Azure Service P
> Service Principals support both password and certificate cr>rincipal) to victim Azure accounts.(Citation: Blue Cloud of 
>edentials.(Citation: Why AAD Service Principals) With suffic>Death)(Citation: Blue Cloud of Death Video) Azure Service Pr
>ient permissions, there are a variety of ways to add credent>incipals support both password and certificate credentials.(
>ials including the Azure Portal, Azure command line interfac>Citation: Why AAD Service Principals) With sufficient permis
>e, and Azure or Az [PowerShell](https://attack.mitre.org/tec>sions, there are a variety of ways to add credentials includ
>hniques/T1059/001) modules.(Citation: Demystifying Azure AD >ing the Azure Portal, Azure command line interface, and Azur
>Service Principals)>e or Az [PowerShell](https://attack.mitre.org/techniques/T10
 >59/001) modules.(Citation: Demystifying Azure AD Service Pri
 >ncipals)  After gaining access through [Cloud Accounts](http
 >s://attack.mitre.org/techniques/T1078/004), adversaries may 
 >generate or import their own SSH keys using either the <code
 >>CreateKeyPair</code> or <code>ImportKeyPair</code> API in A
 >WS or the <code>gcloud compute os-login ssh-keys add</code> 
 >command in GCP.(Citation: GCP SSH Key Add) This allows persi
 >stent access to instances within the cloud environment witho
 >ut further usage of the compromised cloud accounts.(Citation
 >: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
", "changelog_mitigations": { "shared": [ "M1026: Privileged Account Management", "M1030: Network Segmentation", "M1032: Multi-factor Authentication" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18 17:59:24.739000+00:00", "modified": "2020-10-12 12:16:55.085000+00:00", "name": "Data from Information Repositories", "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1213", "external_id": "T1213" }, { "source_name": "Microsoft SharePoint Logging", "description": "Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.", "url": "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2" }, { "source_name": "Atlassian Confluence Logging", "description": "Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.", "url": "https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Praetorian", "Milos Stojadinovic" ], "x_mitre_data_sources": [ "OAuth audit logs", "Application logs", "Authentication logs", "Data loss prevention", "Third-party application logs" ], "x_mitre_detection": "As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nThe user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS", "SaaS", "Office 365" ], "x_mitre_version": "3.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-12 12:16:55.085000+00:00\", \"old_value\": \"2020-06-30 22:50:06.087000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\\n\\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\\n\\n* Policies, procedures, and standards\\n* Physical / logical network diagrams\\n* System architecture diagrams\\n* Technical system documentation\\n* Testing / development credentials\\n* Work / project schedules\\n* Source code snippets\\n* Links to network shares and other internal resources\\n\\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server.\", \"old_value\": \"Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\\n\\nAdversaries may also collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications, as storage is one of the more fundamental requirements for cloud services and systems.\\n\\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\\n\\n* Policies, procedures, and standards\\n* Physical / logical network diagrams\\n* System architecture diagrams\\n* Technical system documentation\\n* Testing / development credentials\\n* Work / project schedules\\n* Source code snippets\\n* Links to network shares and other internal resources\\n\\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server.\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,4 @@\\n Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\\n-\\n-Adversaries may also collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications, as storage is one of the more fundamental requirements for cloud services and systems.\\n \\n The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\\n \"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_removed\": {\"root['x_mitre_data_sources'][0]\": \"Azure activity logs\", \"root['x_mitre_data_sources'][1]\": \"AWS CloudTrail logs\", \"root['x_mitre_data_sources'][2]\": \"Stackdriver logs\", \"root['x_mitre_platforms'][4]\": \"AWS\", \"root['x_mitre_platforms'][5]\": \"GCP\", \"root['x_mitre_platforms'][6]\": \"Azure\"}}", "previous_version": "2.1", "version_change": "2.1 \u2192 3.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may leverage information repositories to mine vat1Adversaries may leverage information repositories to mine va
>luable information. Information repositories are tools that >luable information. Information repositories are tools that 
>allow for storage of information, typically to facilitate co>allow for storage of information, typically to facilitate co
>llaboration or information sharing between users, and can st>llaboration or information sharing between users, and can st
>ore a wide variety of data that may aid adversaries in furth>ore a wide variety of data that may aid adversaries in furth
>er objectives, or direct access to the target information.  >er objectives, or direct access to the target information.  
>Adversaries may also collect information from shared storage>The following is a brief list of example information that ma
> repositories hosted on cloud infrastructure or in software->y hold potential value to an adversary and may also be found
>as-a-service (SaaS) applications, as storage is one of the m> on an information repository:  * Policies, procedures, and 
>ore fundamental requirements for cloud services and systems.>standards * Physical / logical network diagrams * System arc
>  The following is a brief list of example information that >hitecture diagrams * Technical system documentation * Testin
>may hold potential value to an adversary and may also be fou>g / development credentials * Work / project schedules * Sou
>nd on an information repository:  * Policies, procedures, an>rce code snippets * Links to network shares and other intern
>d standards * Physical / logical network diagrams * System a>al resources  Information stored in a repository may vary ba
>rchitecture diagrams * Technical system documentation * Test>sed on the specific instance or environment. Specific common
>ing / development credentials * Work / project schedules * S> information repositories include [Sharepoint](https://attac
>ource code snippets * Links to network shares and other inte>k.mitre.org/techniques/T1213/002), [Confluence](https://atta
>rnal resources  Information stored in a repository may vary >ck.mitre.org/techniques/T1213/001), and enterprise databases
>based on the specific instance or environment. Specific comm> such as SQL Server.
>on information repositories include [Sharepoint](https://att 
>ack.mitre.org/techniques/T1213/002), [Confluence](https://at 
>tack.mitre.org/techniques/T1213/001), and enterprise databas 
>es such as SQL Server. 
", "changelog_mitigations": { "shared": [ "M1017: User Training", "M1018: User Account Management", "M1047: Audit", "T1213: Data from Information Repositories Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-21 20:56:06.498000+00:00", "modified": "2020-10-16 18:25:12.727000+00:00", "name": "Impair Command History Logging", "description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. \n\nOn Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\n\nAdversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \u201c ls\u201d will not be saved, but \u201cls\u201d would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\n\nOn Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1562/003", "external_id": "T1562.003" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/13.html", "external_id": "CAPEC-13" }, { "source_name": "Microsoft PowerShell Command History", "description": "Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.", "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7" }, { "source_name": "Sophos PowerShell command audit", "description": "jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.", "url": "https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit" }, { "source_name": "Sophos PowerShell Command History Forensics", "description": "Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020.", "url": "https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Vikas Singh, Sophos", "Emile Kenning, Sophos" ], "x_mitre_data_sources": [ "PowerShell logs", "Process command-line parameters", "Environment variable", "File monitoring", "Authentication logs", "Process monitoring" ], "x_mitre_defense_bypassed": [ "Host forensic analysis", "Log analysis" ], "x_mitre_detection": "Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.\n\nMonitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. ", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "2.0", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Vikas Singh, Sophos\", \"Emile Kenning, Sophos\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-16 18:25:12.727000+00:00\", \"old_value\": \"2020-03-29 22:09:18.020000+00:00\"}, \"root['name']\": {\"new_value\": \"Impair Command History Logging\", \"old_value\": \"HISTCONTROL\"}, \"root['description']\": {\"new_value\": \"Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. \\n\\nOn Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\\n\\nAdversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to \\\"ignorespace\\\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \\\"ignoredups\\\". In some Linux systems, this is set by default to \\\"ignoreboth\\\" which covers both of the previous examples. This means that \\u201c ls\\u201d will not be saved, but \\u201cls\\u201d would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\\n\\nOn Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)\", \"old_value\": \"Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\\n\\nThis setting can be configured to ignore commands that start with a space by simply setting it to \\\"ignorespace\\\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \\\"ignoredups\\\". In some Linux systems, this is set by default to \\\"ignoreboth\\\" which covers both of the previous examples. This means that \\u201c ls\\u201d will not be saved, but \\u201cls\\u201d would be saved by history.\\n\\n Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n-Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\\n+Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. \\n \\n-This setting can be configured to ignore commands that start with a space by simply setting it to \\\"ignorespace\\\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \\\"ignoredups\\\". In some Linux systems, this is set by default to \\\"ignoreboth\\\" which covers both of the previous examples. This means that \\u201c ls\\u201d will not be saved, but \\u201cls\\u201d would be saved by history.\\n+On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\\n \\n- Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\\n+Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to \\\"ignorespace\\\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \\\"ignoredups\\\". In some Linux systems, this is set by default to \\\"ignoreboth\\\" which covers both of the previous examples. This means that \\u201c ls\\u201d will not be saved, but \\u201cls\\u201d would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\\n+\\n+On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.\\n\\nMonitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. \", \"old_value\": \"Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL environment variable is also suspicious.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL environment variable is also suspicious.\\n+Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.\\n+\\n+Monitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. \"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Microsoft PowerShell Command History\", \"description\": \"Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7\"}, \"root['external_references'][3]\": {\"source_name\": \"Sophos PowerShell command audit\", \"description\": \"jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.\", \"url\": \"https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit\"}, \"root['external_references'][4]\": {\"source_name\": \"Sophos PowerShell Command History Forensics\", \"description\": \"Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020.\", \"url\": \"https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics\"}, \"root['x_mitre_data_sources'][0]\": \"PowerShell logs\", \"root['x_mitre_data_sources'][1]\": \"Process command-line parameters\", \"root['x_mitre_platforms'][2]\": \"Windows\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may configure <code>HISTCONTROL</code> to not lot1Adversaries may impair command history logging to hide comma
>g all command history. The <code>HISTCONTROL</code> environm>nds they run on a compromised system. Various command interp
>ent variable keeps track of what should be saved by the <cod>reters keep track of the commands users type in their termin
>e>history</code> command and eventually into the <code>~/.ba>al so that users can retrace what they've done.   On Linux a
>sh_history</code> file when a user logs out. <code>HISTCONTR>nd macOS, command history is tracked in a file pointed to by
>OL</code> does not exist by default on macOS, but can be set> the environment variable <code>HISTFILE</code>. When a user
> by the user and will be respected.  This setting can be con> logs off a system, this information is flushed to a file in
>figured to ignore commands that start with a space by simply> the user's home directory called <code>~/.bash_history</cod
> setting it to \"ignorespace\". <code>HISTCONTROL</code> can a>e>. The <code>HISTCONTROL</code> environment variable keeps 
>lso be set to ignore duplicate commands by setting it to \"ig>track of what should be saved by the <code>history</code> co
>noredups\". In some Linux systems, this is set by default to >mmand and eventually into the <code>~/.bash_history</code> f
>\"ignoreboth\" which covers both of the previous examples. Thi>ile when a user logs out. <code>HISTCONTROL</code> does not 
>s means that \u201c ls\u201d will not be saved, but \u201cls\u201d would be save>exist by default on macOS, but can be set by the user and wi
>d by history.   Adversaries can abuse this to operate withou>ll be respected.  Adversaries may clear the history environm
>t leaving traces by simply prepending a space to all of thei>ent variable (<code>unset HISTFILE</code>) or set the comman
>r terminal commands.>d history size to zero (<code>export HISTFILESIZE=0</code>) 
 >to prevent logging of commands. Additionally, <code>HISTCONT
 >ROL</code> can be configured to ignore commands that start w
 >ith a space by simply setting it to \"ignorespace\". <code>HIS
 >TCONTROL</code> can also be set to ignore duplicate commands
 > by setting it to \"ignoredups\". In some Linux systems, this 
 >is set by default to \"ignoreboth\" which covers both of the p
 >revious examples. This means that \u201c ls\u201d will not be saved, b
 >ut \u201cls\u201d would be saved by history. Adversaries can abuse thi
 >s to operate without leaving traces by simply prepending a s
 >pace to all of their terminal commands.  On Windows systems,
 > the <code>PSReadLine</code> module tracks commands used in 
 >all PowerShell sessions and writes them to a file (<code>$en
 >v:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHos
 >t_history.txt</code> by default). Adversaries may change whe
 >re these logs are saved using <code>Set-PSReadLineOption -Hi
 >storySavePath {File Path}</code>. This will cause <code>Cons
 >oleHost_history.txt</code> to stop receiving logs. Additiona
 >lly, it is possible to turn off logging to this file using t
 >he PowerShell command <code>Set-PSReadlineOption -HistorySav
 >eStyle SaveNothing</code>.(Citation: Microsoft PowerShell Co
 >mmand History)(Citation: Sophos PowerShell command audit)(Ci
 >tation: Sophos PowerShell Command History Forensics)
", "changelog_mitigations": { "shared": [ "M1028: Operating System Configuration", "M1039: Environment Variable Permissions" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14 16:46:06.044000+00:00", "modified": "2020-10-07 18:10:06.463000+00:00", "name": "Network Share Discovery", "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\remotesystem command. It can also be used to query shared drives on the local system using net share.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1135", "external_id": "T1135" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/643.html", "external_id": "CAPEC-643" }, { "source_name": "Wikipedia Shared Resource", "description": "Wikipedia. (2017, April 15). Shared resource. Retrieved June 30, 2017.", "url": "https://en.wikipedia.org/wiki/Shared_resource" }, { "source_name": "TechNet Shared Folder", "description": "Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017.", "url": "https://technet.microsoft.com/library/cc770880.aspx" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Praetorian" ], "x_mitre_data_sources": [ "Process monitoring", "Process command-line parameters", "Network protocol analysis", "Process use of network" ], "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "macOS", "Windows", "Linux" ], "x_mitre_version": "3.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-07 18:10:06.463000+00:00\", \"old_value\": \"2020-03-15 00:59:10.149000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \\n\\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share.\", \"old_value\": \"Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \\n\\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share.\\n\\nCloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File servers on Compute Engine)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,3 @@\\n Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \\n \\n File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share.\\n-\\n-Cloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File servers on Compute Engine)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n\\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\", \"old_value\": \"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n\\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\\n\\nIn cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be sufficient due to benign use during normal operations.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,3 @@\\n System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n \\n Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\\n-\\n-In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be sufficient due to benign use during normal operations.\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_removed\": {\"root['external_references'][4]\": {\"source_name\": \"Amazon Creating an NFS File Share\", \"description\": \"Amazon. (n.d.). Creating an NFS File Share. Retrieved October 23, 2019.\", \"url\": \"https://docs.aws.amazon.com/storagegateway/latest/userguide/CreatingAnNFSFileShare.html\"}, \"root['external_references'][5]\": {\"source_name\": \"Google File servers on Compute Engine\", \"description\": \"Google Cloud. (2019, October 10). File servers on Compute Engine. Retrieved October 23, 2019.\", \"url\": \"https://cloud.google.com/solutions/filers-on-compute-engine\"}, \"root['x_mitre_platforms'][2]\": \"AWS\", \"root['x_mitre_platforms'][3]\": \"GCP\", \"root['x_mitre_platforms'][4]\": \"Azure\"}}", "previous_version": "2.1", "version_change": "2.1 \u2192 3.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may look for folders and drives shared on remotet1Adversaries may look for folders and drives shared on remote
> systems as a means of identifying sources of information to> systems as a means of identifying sources of information to
> gather as a precursor for Collection and to identify potent> gather as a precursor for Collection and to identify potent
>ial systems of interest for Lateral Movement. Networks often>ial systems of interest for Lateral Movement. Networks often
> contain shared network drives and folders that enable users> contain shared network drives and folders that enable users
> to access file directories on various systems across a netw> to access file directories on various systems across a netw
>ork.   File sharing over a Windows network occurs over the S>ork.   File sharing over a Windows network occurs over the S
>MB protocol. (Citation: Wikipedia Shared Resource) (Citation>MB protocol. (Citation: Wikipedia Shared Resource) (Citation
>: TechNet Shared Folder) [Net](https://attack.mitre.org/soft>: TechNet Shared Folder) [Net](https://attack.mitre.org/soft
>ware/S0039) can be used to query a remote system for availab>ware/S0039) can be used to query a remote system for availab
>le shared drives using the <code>net view \\\\remotesystem</co>le shared drives using the <code>net view \\\\remotesystem</co
>de> command. It can also be used to query shared drives on t>de> command. It can also be used to query shared drives on t
>he local system using <code>net share</code>.  Cloud virtual>he local system using <code>net share</code>.
> networks may contain remote network shares or file storage  
>services accessible to an adversary after they have obtained 
> access to a system. For example, AWS, GCP, and Azure suppor 
>t creation of Network File System (NFS) shares and Server Me 
>ssage Block (SMB) shares that may be mapped on endpoint or c 
>loud-based systems.(Citation: Amazon Creating an NFS File Sh 
>are)(Citation: Google File servers on Compute Engine) 
", "changelog_mitigations": { "shared": [ "M1028: Operating System Configuration", "T1135: Network Share Discovery Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-02 18:45:07.892000+00:00", "modified": "2020-10-18 01:55:03.337000+00:00", "name": "Phishing", "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1566", "external_id": "T1566" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/98.html", "external_id": "CAPEC-98" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring", "Packet capture", "Web proxy", "Email gateway", "Mail server", "Network intrusion detection system", "Detonation chamber", "SSL/TLS inspection", "Anti-virus" ], "x_mitre_detection": "Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nURL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nBecause most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "macOS", "Windows", "SaaS", "Office 365" ], "x_mitre_version": "2.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-18 01:55:03.337000+00:00\", \"old_value\": \"2020-03-28 00:04:46.427000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\\n\\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms.\", \"old_value\": \"Adversaries may send phishing messages to elicit sensitive information and/or gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\\n\\nAdversaries may send victim\\u2019s emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may send phishing messages to elicit sensitive information and/or gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\\n+Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\\n \\n-Adversaries may send victim\\u2019s emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms.\\n+Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may send phishing messages to elicit sensitive it1Adversaries may send phishing messages to gain access to vic
>nformation and/or gain access to victim systems. All forms o>tim systems. All forms of phishing are electronically delive
>f phishing are electronically delivered social engineering. >red social engineering. Phishing can be targeted, known as s
>Phishing can be targeted, known as spearphishing. In spearph>pearphishing. In spearphishing, a specific individual, compa
>ishing, a specific individual, company, or industry will be >ny, or industry will be targeted by the adversary. More gene
>targeted by the adversary. More generally, adversaries can c>rally, adversaries can conduct non-targeted phishing, such a
>onduct non-targeted phishing, such as in mass malware spam c>s in mass malware spam campaigns.  Adversaries may send vict
>ampaigns.  Adversaries may send victim\u2019s emails containing m>ims emails containing malicious attachments or links, typica
>alicious attachments or links, typically to execute maliciou>lly to execute malicious code on victim systems or to gather
>s code on victim systems or to gather credentials for use of> credentials for use of [Valid Accounts](https://attack.mitr
> [Valid Accounts](https://attack.mitre.org/techniques/T1078)>e.org/techniques/T1078). Phishing may also be conducted via 
>. Phishing may also be conducted via third-party services, l>third-party services, like social media platforms.
>ike social media platforms. 
", "changelog_mitigations": { "shared": [ "M1017: User Training", "M1021: Restrict Web-Based Content", "M1031: Network Intrusion Prevention", "M1049: Antivirus/Antimalware" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-02 19:05:18.137000+00:00", "modified": "2020-10-18 01:52:25.316000+00:00", "name": "Spearphishing Attachment", "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1566/001", "external_id": "T1566.001" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/163.html", "external_id": "CAPEC-163" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring", "Packet capture", "Network intrusion detection system", "Detonation chamber", "Email gateway", "Mail server" ], "x_mitre_detection": "Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "macOS", "Windows", "Linux" ], "x_mitre_version": "2.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-18 01:52:25.316000+00:00\", \"old_value\": \"2020-03-27 23:56:40.369000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\\n\\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.\", \"old_value\": \"Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\\n\\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\\n+Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\\n \\n There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may send spearphishing emails with a malicious at1Adversaries may send spearphishing emails with a malicious a
>ttachment in an attempt to elicit sensitive information and/>ttachment in an attempt to gain access to victim systems. Sp
>or gain access to victim systems. Spearphishing attachment i>earphishing attachment is a specific variant of spearphishin
>s a specific variant of spearphishing. Spearphishing attachm>g. Spearphishing attachment is different from other forms of
>ent is different from other forms of spearphishing in that i> spearphishing in that it employs the use of malware attache
>t employs the use of malware attached to an email. All forms>d to an email. All forms of spearphishing are electronically
> of spearphishing are electronically delivered social engine> delivered social engineering targeted at a specific individ
>ering targeted at a specific individual, company, or industr>ual, company, or industry. In this scenario, adversaries att
>y. In this scenario, adversaries attach a file to the spearp>ach a file to the spearphishing email and usually rely upon 
>hishing email and usually rely upon [User Execution](https:/>[User Execution](https://attack.mitre.org/techniques/T1204) 
>/attack.mitre.org/techniques/T1204) to gain execution.  Ther>to gain execution.  There are many options for the attachmen
>e are many options for the attachment such as Microsoft Offi>t such as Microsoft Office documents, executables, PDFs, or 
>ce documents, executables, PDFs, or archived files. Upon ope>archived files. Upon opening the attachment (and potentially
>ning the attachment (and potentially clicking past protectio> clicking past protections), the adversary's payload exploit
>ns), the adversary's payload exploits a vulnerability or dir>s a vulnerability or directly executes on the user's system.
>ectly executes on the user's system. The text of the spearph> The text of the spearphishing email usually tries to give a
>ishing email usually tries to give a plausible reason why th> plausible reason why the file should be opened, and may exp
>e file should be opened, and may explain how to bypass syste>lain how to bypass system protections in order to do so. The
>m protections in order to do so. The email may also contain > email may also contain instructions on how to decrypt an at
>instructions on how to decrypt an attachment, such as a zip >tachment, such as a zip file password, in order to evade ema
>file password, in order to evade email boundary defenses. Ad>il boundary defenses. Adversaries frequently manipulate file
>versaries frequently manipulate file extensions and icons in> extensions and icons in order to make attached executables 
> order to make attached executables appear to be document fi>appear to be document files, or files exploiting one applica
>les, or files exploiting one application appear to be a file>tion appear to be a file for a different one.
> for a different one. 
", "changelog_mitigations": { "shared": [ "M1017: User Training", "M1021: Restrict Web-Based Content", "M1031: Network Intrusion Prevention", "M1049: Antivirus/Antimalware" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-02 19:15:44.182000+00:00", "modified": "2020-10-18 01:53:39.818000+00:00", "name": "Spearphishing Link", "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1566/002", "external_id": "T1566.002" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/163.html", "external_id": "CAPEC-163" }, { "source_name": "Trend Micro Pawn Storm OAuth 2017", "description": "Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Shailesh Tiwary (Indian Army)", "Mark Wee", "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)", "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)" ], "x_mitre_data_sources": [ "Packet capture", "Web proxy", "Email gateway", "Detonation chamber", "SSL/TLS inspection", "DNS records", "Mail server" ], "x_mitre_detection": "URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nBecause this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Office 365", "SaaS" ], "x_mitre_version": "2.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-18 01:53:39.818000+00:00\", \"old_value\": \"2020-03-02 19:44:47.843000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \\n\\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)\", \"old_value\": \"Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \\n\\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \\n+Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \\n \\n All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may send spearphishing emails with a malicious lt1Adversaries may send spearphishing emails with a malicious l
>ink in an attempt to elicit sensitive information and/or gai>ink in an attempt to gain access to victim systems. Spearphi
>n access to victim systems. Spearphishing with a link is a s>shing with a link is a specific variant of spearphishing. It
>pecific variant of spearphishing. It is different from other> is different from other forms of spearphishing in that it e
> forms of spearphishing in that it employs the use of links >mploys the use of links to download malware contained in ema
>to download malware contained in email, instead of attaching>il, instead of attaching malicious files to the email itself
> malicious files to the email itself, to avoid defenses that>, to avoid defenses that may inspect email attachments.   Al
> may inspect email attachments.   All forms of spearphishing>l forms of spearphishing are electronically delivered social
> are electronically delivered social engineering targeted at> engineering targeted at a specific individual, company, or 
> a specific individual, company, or industry. In this case, >industry. In this case, the malicious emails contain links. 
>the malicious emails contain links. Generally, the links wil>Generally, the links will be accompanied by social engineeri
>l be accompanied by social engineering text and require the >ng text and require the user to actively click or copy and p
>user to actively click or copy and paste a URL into a browse>aste a URL into a browser, leveraging [User Execution](https
>r, leveraging [User Execution](https://attack.mitre.org/tech>://attack.mitre.org/techniques/T1204). The visited website m
>niques/T1204). The visited website may compromise the web br>ay compromise the web browser using an exploit, or the user 
>owser using an exploit, or the user will be prompted to down>will be prompted to download applications, documents, zip fi
>load applications, documents, zip files, or even executables>les, or even executables depending on the pretext for the em
> depending on the pretext for the email in the first place. >ail in the first place. Adversaries may also include links t
>Adversaries may also include links that are intended to inte>hat are intended to interact directly with an email reader, 
>ract directly with an email reader, including embedded image>including embedded images intended to exploit the end system
>s intended to exploit the end system directly or verify the > directly or verify the receipt of an email (i.e. web bugs/w
>receipt of an email (i.e. web bugs/web beacons). Links may a>eb beacons). Links may also direct users to malicious applic
>lso direct users to malicious applications  designed to [Ste>ations  designed to [Steal Application Access Token](https:/
>al Application Access Token](https://attack.mitre.org/techni>/attack.mitre.org/techniques/T1528)s, like OAuth tokens, in 
>ques/T1528)s, like OAuth tokens, in order to gain access to >order to gain access to protected applications and informati
>protected applications and information.(Citation: Trend Micr>on.(Citation: Trend Micro Pawn Storm OAuth 2017)
>o Pawn Storm OAuth 2017) 
", "changelog_mitigations": { "shared": [ "M1017: User Training", "M1021: Restrict Web-Based Content" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-02 19:24:00.951000+00:00", "modified": "2020-10-18 01:55:02.988000+00:00", "name": "Spearphishing via Service", "description": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1566/003", "external_id": "T1566.003" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/163.html", "external_id": "CAPEC-163" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "SSL/TLS inspection", "Anti-virus", "Web proxy" ], "x_mitre_detection": "Because most common third-party services used for spearphishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. \n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "2.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-18 01:55:02.988000+00:00\", \"old_value\": \"2020-03-28 00:04:46.264000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \\n\\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\\n\\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.\", \"old_value\": \"Adversaries may send spearphishing messages via third-party services in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \\n\\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\\n\\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.\", \"diff\": \"--- \\n+++ \\n@@ -1,4 +1,4 @@\\n-Adversaries may send spearphishing messages via third-party services in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \\n+Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \\n \\n All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\\n \"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may send spearphishing messages via third-party t1Adversaries may send spearphishing messages via third-party 
>services in an attempt to elicit sensitive information and/o>services in an attempt to gain access to victim systems. Spe
>r gain access to victim systems. Spearphishing via service i>arphishing via service is a specific variant of spearphishin
>s a specific variant of spearphishing. It is different from >g. It is different from other forms of spearphishing in that
>other forms of spearphishing in that it employs the use of t> it employs the use of third party services rather than dire
>hird party services rather than directly via enterprise emai>ctly via enterprise email channels.   All forms of spearphis
>l channels.   All forms of spearphishing are electronically >hing are electronically delivered social engineering targete
>delivered social engineering targeted at a specific individu>d at a specific individual, company, or industry. In this sc
>al, company, or industry. In this scenario, adversaries send>enario, adversaries send messages through various social med
> messages through various social media services, personal we>ia services, personal webmail, and other non-enterprise cont
>bmail, and other non-enterprise controlled services. These s>rolled services. These services are more likely to have a le
>ervices are more likely to have a less-strict security polic>ss-strict security policy than an enterprise. As with most k
>y than an enterprise. As with most kinds of spearphishing, t>inds of spearphishing, the goal is to generate rapport with 
>he goal is to generate rapport with the target or get the ta>the target or get the target's interest in some way. Adversa
>rget's interest in some way. Adversaries will create fake so>ries will create fake social media accounts and message empl
>cial media accounts and message employees for potential job >oyees for potential job opportunities. Doing so allows a pla
>opportunities. Doing so allows a plausible reason for asking>usible reason for asking about services, policies, and softw
> about services, policies, and software that's running in an>are that's running in an environment. The adversary can then
> environment. The adversary can then send malicious links or> send malicious links or attachments through these services.
> attachments through these services.  A common example is to>  A common example is to build rapport with a target via soc
> build rapport with a target via social media, then send con>ial media, then send content to a personal webmail service t
>tent to a personal webmail service that the target uses on t>hat the target uses on their work computer. This allows an a
>heir work computer. This allows an adversary to bypass some >dversary to bypass some email restrictions on the work accou
>email restrictions on the work account, and the target is mo>nt, and the target is more likely to open the file since it'
>re likely to open the file since it's something they were ex>s something they were expecting. If the payload doesn't work
>pecting. If the payload doesn't work as expected, the advers> as expected, the adversary can continue normal communicatio
>ary can continue normal communications and troubleshoot with>ns and troubleshoot with the target on how to get it working
> the target on how to get it working.>.
", "changelog_mitigations": { "shared": [ "M1017: User Training", "M1021: Restrict Web-Based Content", "M1049: Antivirus/Antimalware" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-14 23:23:41.770000+00:00", "modified": "2020-10-21 17:54:28.280000+00:00", "name": "Multi-hop Proxy", "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)\n\nIn the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization\u2019s WAN. Protocols such as ICMP may be used as a transport.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1090/003", "external_id": "T1090.003" }, { "source_name": "Onion Routing", "description": "Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020.", "url": "https://en.wikipedia.org/wiki/Onion_routing" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Packet capture", "Network protocol analysis", "Netflow/Enclave netflow" ], "x_mitre_detection": "When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.\n\nIn context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers. Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Network" ], "x_mitre_version": "2.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 17:54:28.280000+00:00\", \"old_value\": \"2020-03-14 23:23:41.770000+00:00\"}, \"root['description']\": {\"new_value\": \"To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)\\n\\nIn the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization\\u2019s WAN. Protocols such as ICMP may be used as a transport.\", \"old_value\": \"To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.\\n+To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)\\n+\\n+In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization\\u2019s WAN. Protocols such as ICMP may be used as a transport.\"}, \"root['x_mitre_detection']\": {\"new_value\": \"When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.\\n\\nIn context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers. Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.\", \"old_value\": \"When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.\\n+\\n+In context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers. Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Onion Routing\", \"description\": \"Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020.\", \"url\": \"https://en.wikipedia.org/wiki/Onion_routing\"}, \"root['x_mitre_data_sources'][0]\": \"Packet capture\", \"root['x_mitre_platforms'][3]\": \"Network\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1To disguise the source of malicious traffic, adversaries mayt1To disguise the source of malicious traffic, adversaries may
> chain together multiple proxies. Typically, a defender will> chain together multiple proxies. Typically, a defender will
> be able to identify the last proxy traffic traversed before> be able to identify the last proxy traffic traversed before
> it enters their network; the defender may or may not be abl> it enters their network; the defender may or may not be abl
>e to identify any previous proxies before the last-hop proxy>e to identify any previous proxies before the last-hop proxy
>. This technique makes identifying the original source of th>. This technique makes identifying the original source of th
>e malicious traffic even more difficult by requiring the def>e malicious traffic even more difficult by requiring the def
>ender to trace malicious traffic through several proxies to >ender to trace malicious traffic through several proxies to 
>identify its source.>identify its source. A particular variant of this behavior i
 >s to use onion routing networks, such as the publicly availa
 >ble TOR network. (Citation: Onion Routing)  In the case of n
 >etwork infrastructure, particularly routers, it is possible 
 >for an adversary to leverage multiple compromised devices to
 > create a multi-hop proxy chain within the Wide-Area Network
 > (WAN) of the enterprise.  By leveraging [Patch System Image
 >](https://attack.mitre.org/techniques/T1601/001), adversarie
 >s can add custom code to the affected network devices that w
 >ill implement onion routing between those nodes.  This custo
 >m onion routing network will transport the encrypted C2 traf
 >fic through the compromised population, allowing adversaries
 > to communicate with any device within the onion routing net
 >work.  This method is dependent upon the [Network Boundary B
 >ridging](https://attack.mitre.org/techniques/T1599) method i
 >n order to allow the adversaries to cross the protected netw
 >ork boundary of the Internet perimeter and into the organiza
 >tion\u2019s WAN. Protocols such as ICMP may be used as a transpor
 >t.
", "changelog_mitigations": { "shared": [ "M1037: Filter Network Traffic" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:30:28.187000+00:00", "modified": "2020-09-17 12:26:53.669000+00:00", "name": "Remote System Discovery", "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \n\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1018", "external_id": "T1018" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/292.html", "external_id": "CAPEC-292" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "RedHuntLabs, @redhuntlabs" ], "x_mitre_data_sources": [ "Network protocol analysis", "Process monitoring", "Process use of network", "Process command-line parameters" ], "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "3.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-17 12:26:53.669000+00:00\", \"old_value\": \"2020-05-26 15:02:19.656000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\\\Windows\\\\System32\\\\Drivers\\\\etc\\\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \\n\\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.\", \"old_value\": \"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\\\Windows\\\\System32\\\\Drivers\\\\etc\\\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \\n\\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.\\n\\nWithin IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a DescribeInstances API within the Amazon EC2 API and a describe-instances command within the AWS CLI that can return information about all instances within an account.(Citation: Amazon Describe Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project, and Azure's CLI az vm list lists details of virtual machines.(Citation: Google Compute Instances)(Citation: Azure VM List)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,3 @@\\n Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\\\Windows\\\\System32\\\\Drivers\\\\etc\\\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \\n \\n Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.\\n-\\n-Within IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a DescribeInstances API within the Amazon EC2 API and a describe-instances command within the AWS CLI that can return information about all instances within an account.(Citation: Amazon Describe Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project, and Azure's CLI az vm list lists details of virtual machines.(Citation: Google Compute Instances)(Citation: Azure VM List)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n\\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\", \"old_value\": \"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n\\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\\n\\nIn cloud environments, the usage of particular commands or APIs to request information about remote systems may be common. Where possible, anomalous usage of these commands and APIs or the usage of these commands and APIs in conjunction with additional unexpected commands may be a sign of malicious use. Logging methods provided by cloud providers that capture history of CLI commands executed or API usage may be utilized for detection.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,3 @@\\n System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n \\n Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\\n-\\n-In cloud environments, the usage of particular commands or APIs to request information about remote systems may be common. Where possible, anomalous usage of these commands and APIs or the usage of these commands and APIs in conjunction with additional unexpected commands may be a sign of malicious use. Logging methods provided by cloud providers that capture history of CLI commands executed or API usage may be utilized for detection.\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_removed\": {\"root['external_references'][2]\": {\"source_name\": \"Amazon Describe Instances API\", \"description\": \"Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.\", \"url\": \"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html\"}, \"root['external_references'][3]\": {\"source_name\": \"Amazon Describe Instances CLI\", \"description\": \"Amazon. (n.d.). describe-instances. Retrieved May 26, 2020.\", \"url\": \"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-instances.html\"}, \"root['external_references'][4]\": {\"source_name\": \"Google Compute Instances\", \"description\": \"Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020.\", \"url\": \"https://cloud.google.com/sdk/gcloud/reference/compute/instances/list\"}, \"root['external_references'][5]\": {\"source_name\": \"Azure VM List\", \"description\": \"Microsoft. (n.d.). az vm. Retrieved May 26, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest\"}, \"root['x_mitre_contributors'][0]\": \"Praetorian\", \"root['x_mitre_data_sources'][0]\": \"Azure activity logs\", \"root['x_mitre_data_sources'][1]\": \"Stackdriver logs\", \"root['x_mitre_data_sources'][2]\": \"AWS CloudTrail logs\", \"root['x_mitre_platforms'][3]\": \"GCP\", \"root['x_mitre_platforms'][4]\": \"Azure\", \"root['x_mitre_platforms'][5]\": \"AWS\"}}", "previous_version": "2.1", "version_change": "2.1 \u2192 3.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may attempt to get a listing of other systems byt1Adversaries may attempt to get a listing of other systems by
> IP address, hostname, or other logical identifier on a netw> IP address, hostname, or other logical identifier on a netw
>ork that may be used for Lateral Movement from the current s>ork that may be used for Lateral Movement from the current s
>ystem. Functionality could exist within remote access tools >ystem. Functionality could exist within remote access tools 
>to enable this, but utilities available on the operating sys>to enable this, but utilities available on the operating sys
>tem could also be used such as  [Ping](https://attack.mitre.>tem could also be used such as  [Ping](https://attack.mitre.
>org/software/S0097) or <code>net view</code> using [Net](htt>org/software/S0097) or <code>net view</code> using [Net](htt
>ps://attack.mitre.org/software/S0039). Adversaries may also >ps://attack.mitre.org/software/S0039). Adversaries may also 
>use local host files (ex: <code>C:\\Windows\\System32\\Drivers\\>use local host files (ex: <code>C:\\Windows\\System32\\Drivers\\
>etc\\hosts</code> or <code>/etc/hosts</code>) in order to dis>etc\\hosts</code> or <code>/etc/hosts</code>) in order to dis
>cover the hostname to IP address mappings of remote systems.>cover the hostname to IP address mappings of remote systems.
>   Specific to macOS, the <code>bonjour</code> protocol exis>   Specific to macOS, the <code>bonjour</code> protocol exis
>ts to discover additional Mac-based systems within the same >ts to discover additional Mac-based systems within the same 
>broadcast domain.  Within IaaS (Infrastructure as a Service)>broadcast domain.
> environments, remote systems include instances and virtual  
>machines in various states, including the running or stopped 
> state. Cloud providers have created methods to serve inform 
>ation about remote systems, such as APIs and CLIs. For examp 
>le, AWS provides a <code>DescribeInstances</code> API within 
> the Amazon EC2 API and a <code>describe-instances</code> co 
>mmand within the AWS CLI that can return information about a 
>ll instances within an account.(Citation: Amazon Describe In 
>stances API)(Citation: Amazon Describe Instances CLI) Simila 
>rly, GCP's Cloud SDK CLI provides the <code>gcloud compute i 
>nstances list</code> command to list all Google Compute Engi 
>ne instances in a project, and Azure's CLI <code>az vm list< 
>/code> lists details of virtual machines.(Citation: Google C 
>ompute Instances)(Citation: Azure VM List) 
", "changelog_mitigations": { "shared": [ "T1018: Remote System Discovery Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } } ], "minor_version_changes": [ { "type": "attack-pattern", "id": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:06.988000+00:00", "modified": "2020-09-16 15:10:18.260000+00:00", "name": "Account Discovery", "description": "Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1087", "external_id": "T1087" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/575.html", "external_id": "CAPEC-575" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Microsoft Threat Intelligence Center (MSTIC)", "Travis Smith, Tripwire" ], "x_mitre_data_sources": [ "Azure activity logs", "Office 365 account logs", "API monitoring", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Office 365", "Azure AD", "AWS", "GCP", "Azure", "SaaS" ], "x_mitre_version": "2.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 15:10:18.260000+00:00\", \"old_value\": \"2020-03-26 15:27:59.127000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"capec\", \"url\": \"https://capec.mitre.org/data/definitions/575.html\", \"external_id\": \"CAPEC-575\"}}}", "previous_version": "2.1", "version_change": "2.1 \u2192 2.2", "changelog_mitigations": { "shared": [ "M1028: Operating System Configuration", "T1087: Account Discovery Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-21 21:08:36.570000+00:00", "modified": "2020-08-13 16:53:55.390000+00:00", "name": "Cloud Account", "description": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.\n\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \n\nThe AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1087/004", "external_id": "T1087.004" }, { "source_name": "Microsoft msolrolemember", "description": "Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.", "url": "https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0" }, { "source_name": "GitHub Raindance", "description": "Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.", "url": "https://github.com/True-Demon/raindance" }, { "source_name": "Microsoft AZ CLI", "description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.", "url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest" }, { "source_name": "Black Hills Red Teaming MS AD Azure, 2018", "description": "Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.", "url": "https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/" }, { "source_name": "AWS List Roles", "description": "Amazon. (n.d.). List Roles. Retrieved August 11, 2020.", "url": "https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html" }, { "source_name": "AWS List Users", "description": "Amazon. (n.d.). List Users. Retrieved August 11, 2020.", "url": "https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html" }, { "source_name": "Google Cloud - IAM Servie Accounts List API", "description": "Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.", "url": "https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Praetorian" ], "x_mitre_data_sources": [ "Stackdriver logs", "AWS CloudTrail logs", "Azure activity logs", "Office 365 account logs", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.\n\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "AWS", "GCP", "Azure", "Office 365", "Azure AD", "SaaS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Praetorian\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-13 16:53:55.390000+00:00\", \"old_value\": \"2020-03-13 20:05:15.448000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.\\n\\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \\n\\nThe AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)\", \"old_value\": \"Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider of SaaS application.\\n\\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)\\n\\nAzure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n-Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider of SaaS application.\\n+Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.\\n \\n-With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)\\n+With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \\n \\n-Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \\n+The AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.\\n\\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\", \"old_value\": \"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n\\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n+Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.\\n \\n-Monitor processes and command-line arguments for actions that could be taken to gather system and network information.\\n+System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"AWS List Roles\", \"description\": \"Amazon. (n.d.). List Roles. Retrieved August 11, 2020.\", \"url\": \"https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html\"}, \"root['external_references'][6]\": {\"source_name\": \"AWS List Users\", \"description\": \"Amazon. (n.d.). List Users. Retrieved August 11, 2020.\", \"url\": \"https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html\"}, \"root['external_references'][7]\": {\"source_name\": \"Google Cloud - IAM Servie Accounts List API\", \"description\": \"Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.\", \"url\": \"https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list\"}, \"root['x_mitre_data_sources'][0]\": \"Stackdriver logs\", \"root['x_mitre_data_sources'][1]\": \"AWS CloudTrail logs\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may attempt to get a listing of cloud accounts. t1Adversaries may attempt to get a listing of cloud accounts. 
>Cloud accounts are those created and configured by an organi>Cloud accounts are those created and configured by an organi
>zation for use by users, remote support, services, or for ad>zation for use by users, remote support, services, or for ad
>ministration of resources within a cloud service provider of>ministration of resources within a cloud service provider or
> SaaS application.  With authenticated access there are seve> SaaS application.  With authenticated access there are seve
>ral tools that can be used to find accounts. The <code>Get-M>ral tools that can be used to find accounts. The <code>Get-M
>solRoleMember</code> PowerShell cmdlet can be used to obtain>solRoleMember</code> PowerShell cmdlet can be used to obtain
> account names given a role or permissions group.(Citation: > account names given a role or permissions group in Office 3
>Microsoft msolrolemember)(Citation: GitHub Raindance)  Azure>65.(Citation: Microsoft msolrolemember)(Citation: GitHub Rai
> CLI (AZ CLI) also provides an interface to obtain user acco>ndance) The Azure CLI (AZ CLI) also provides an interface to
>unts with authenticated access to a domain. The command <cod> obtain user accounts with authenticated access to a domain.
>e>az ad user list</code> will list all users within a domain> The command <code>az ad user list</code> will list all user
>.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Team>s within a domain.(Citation: Microsoft AZ CLI)(Citation: Bla
>ing MS AD Azure, 2018) >ck Hills Red Teaming MS AD Azure, 2018)   The AWS command <c
 >ode>aws iam list-users</code> may be used to obtain a list o
 >f users in the current account while <code>aws iam list-role
 >s</code> can obtain IAM roles that have a specified path pre
 >fix.(Citation: AWS List Roles)(Citation: AWS List Users) In 
 >GCP, <code>gcloud iam service-accounts list</code> and <code
 >>gcloud projects get-iam-policy</code> may be used to obtain
 > a listing of service accounts and users in a project.(Citat
 >ion: Google Cloud - IAM Servie Accounts List API)
", "changelog_mitigations": { "shared": [], "new": [ "M1018: User Account Management", "M1047: Audit" ], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:30:29.458000+00:00", "modified": "2020-10-22 02:24:54.881000+00:00", "name": "Automated Exfiltration", "description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "exfiltration" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1020", "external_id": "T1020" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring", "Process monitoring", "Process use of network" ], "x_mitre_detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.", "x_mitre_is_subtechnique": false, "x_mitre_network_requirements": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Network" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-22 02:24:54.881000+00:00\", \"old_value\": \"2020-03-11 13:58:08.219000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][3]\": \"Network\"}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2", "changelog_mitigations": { "shared": [ "T1020: Automated Exfiltration Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-23 17:46:59.535000+00:00", "modified": "2020-10-09 16:05:36.772000+00:00", "name": "Boot or Logon Autostart Execution", "description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)\u00a0 These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1547", "external_id": "T1547" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/564.html", "external_id": "CAPEC-564" }, { "source_name": "Microsoft Run Key", "description": "Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.", "url": "http://msdn.microsoft.com/en-us/library/aa376977" }, { "source_name": "MSDN Authentication Packages", "description": "Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017.", "url": "https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx" }, { "source_name": "Microsoft TimeProvider", "description": "Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.", "url": "https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx" }, { "source_name": "Cylance Reg Persistence Sept 2013", "description": "Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.", "url": "https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order" }, { "source_name": "Linux Kernel Programming", "description": "Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018.", "url": "https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf" }, { "source_name": "TechNet Autoruns", "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.", "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.(Citation: TechNet Autoruns) Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed. \n\nSuspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data.To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User", "Administrator", "root" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-564\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-09 16:05:36.772000+00:00\", \"old_value\": \"2020-06-30 21:23:15.683000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Microsoft Run Key\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/564.html\", \"old_value\": \"http://msdn.microsoft.com/en-us/library/aa376977\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Microsoft Run Key\", \"old_value\": \"MSDN Authentication Packages\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.\", \"old_value\": \"Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"http://msdn.microsoft.com/en-us/library/aa376977\", \"old_value\": \"https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"MSDN Authentication Packages\", \"old_value\": \"Microsoft TimeProvider\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017.\", \"old_value\": \"Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx\", \"old_value\": \"https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Microsoft TimeProvider\", \"old_value\": \"Cylance Reg Persistence Sept 2013\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.\", \"old_value\": \"Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx\", \"old_value\": \"https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"Cylance Reg Persistence Sept 2013\", \"old_value\": \"Linux Kernel Programming\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.\", \"old_value\": \"Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order\", \"old_value\": \"https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf\"}, \"root['external_references'][6]['source_name']\": {\"new_value\": \"Linux Kernel Programming\", \"old_value\": \"TechNet Autoruns\"}, \"root['external_references'][6]['description']\": {\"new_value\": \"Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018.\", \"old_value\": \"Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.\"}, \"root['external_references'][6]['url']\": {\"new_value\": \"https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf\", \"old_value\": \"https://technet.microsoft.com/en-us/sysinternals/bb963902\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][7]\": {\"source_name\": \"TechNet Autoruns\", \"description\": \"Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.\", \"url\": \"https://technet.microsoft.com/en-us/sysinternals/bb963902\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-23 22:02:48.566000+00:00", "modified": "2020-08-03 16:30:26.918000+00:00", "name": "Registry Run Keys / Startup Folder", "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1547/001", "external_id": "T1547.001" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/270.html", "external_id": "CAPEC-270" }, { "source_name": "Microsoft Run Key", "description": "Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.", "url": "http://msdn.microsoft.com/en-us/library/aa376977" }, { "source_name": "Microsoft Wow6432Node 2018", "description": "Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020.", "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry" }, { "source_name": "Malwarebytes Wow6432Node 2016", "description": "Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020.", "url": "https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/" }, { "source_name": "Microsoft RunOnceEx APR 2018", "description": "Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018.", "url": "https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key" }, { "source_name": "Oddvar Moe RunOnceEx Mar 2018", "description": "Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.", "url": "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/" }, { "source_name": "TechNet Autoruns", "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.", "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Oddvar Moe, @oddvarmoe" ], "x_mitre_data_sources": [ "Windows Registry", "File monitoring" ], "x_mitre_detection": "Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\n\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-03 16:30:26.918000+00:00\", \"old_value\": \"2020-03-25 16:16:26.182000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \\\"run keys\\\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\\n\\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\\\Users\\\\[Username]\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup. The startup folder path for all users is C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp.\\n\\nThe following run keys are created by default on Windows systems:\\n\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n\\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \\\"Depend\\\" key with RunOnceEx: reg add HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\0001\\\\Depend /v 1 /d \\\"C:\\\\temp\\\\evil[.]dll\\\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\\n\\nThe following Registry keys can be used to set startup folder items for persistence:\\n\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\n* HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\n* HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\n\\nThe following Registry keys can control automatic startup of services during boot:\\n\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices\\n\\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\\n\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n\\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit and HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell subkeys can automatically launch programs.\\n\\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows run when any user logs on.\\n\\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\\n\\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.\", \"old_value\": \"Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \\\"run keys\\\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\\n\\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\\\Users\\\\[Username]\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup. The startup folder path for all users is C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp.\\n\\nThe following run keys are created by default on Windows systems:\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n\\nThe HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \\\"Depend\\\" key with RunOnceEx: reg add HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\0001\\\\Depend /v 1 /d \\\"C:\\\\temp\\\\evil[.]dll\\\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\\n\\nThe following Registry keys can be used to set startup folder items for persistence:\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\n* HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\n* HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\n\\nThe following Registry keys can control automatic startup of services during boot:\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices\\n\\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\\n* HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n* HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n\\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit and HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell subkeys can automatically launch programs.\\n\\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows run when any user logs on.\\n\\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\\n\\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.\", \"diff\": \"--- \\n+++ \\n@@ -3,26 +3,30 @@\\n Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\\\Users\\\\[Username]\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup. The startup folder path for all users is C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp.\\n \\n The following run keys are created by default on Windows systems:\\n+\\n * HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\n * HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n * HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\n * HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n \\n-The HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \\\"Depend\\\" key with RunOnceEx: reg add HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\0001\\\\Depend /v 1 /d \\\"C:\\\\temp\\\\evil[.]dll\\\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\\n+Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \\\"Depend\\\" key with RunOnceEx: reg add HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\0001\\\\Depend /v 1 /d \\\"C:\\\\temp\\\\evil[.]dll\\\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\\n \\n The following Registry keys can be used to set startup folder items for persistence:\\n+\\n * HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\n * HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\n * HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\n * HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\n \\n The following Registry keys can control automatic startup of services during boot:\\n+\\n * HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\n * HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\n * HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices\\n * HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices\\n \\n Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:\\n+\\n * HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n * HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n \"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Microsoft Wow6432Node 2018\", \"old_value\": \"Microsoft RunOnceEx APR 2018\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020.\", \"old_value\": \"Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry\", \"old_value\": \"https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Malwarebytes Wow6432Node 2016\", \"old_value\": \"Oddvar Moe RunOnceEx Mar 2018\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020.\", \"old_value\": \"Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/\", \"old_value\": \"https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"Microsoft RunOnceEx APR 2018\", \"old_value\": \"TechNet Autoruns\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018.\", \"old_value\": \"Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key\", \"old_value\": \"https://technet.microsoft.com/en-us/sysinternals/bb963902\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"Oddvar Moe RunOnceEx Mar 2018\", \"description\": \"Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.\", \"url\": \"https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/\"}, \"root['external_references'][7]\": {\"source_name\": \"TechNet Autoruns\", \"description\": \"Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.\", \"url\": \"https://technet.microsoft.com/en-us/sysinternals/bb963902\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may achieve persistence by adding a program to at1Adversaries may achieve persistence by adding a program to a
> startup folder or referencing it with a Registry run key. A> startup folder or referencing it with a Registry run key. A
>dding an entry to the \"run keys\" in the Registry or startup >dding an entry to the \"run keys\" in the Registry or startup 
>folder will cause the program referenced to be executed when>folder will cause the program referenced to be executed when
> a user logs in. (Citation: Microsoft Run Key) These program> a user logs in. (Citation: Microsoft Run Key) These program
>s will be executed under the context of the user and will ha>s will be executed under the context of the user and will ha
>ve the account's associated permissions level.  Placing a pr>ve the account's associated permissions level.  Placing a pr
>ogram within a startup folder will also cause that program t>ogram within a startup folder will also cause that program t
>o execute when a user logs in. There is a startup folder loc>o execute when a user logs in. There is a startup folder loc
>ation for individual user accounts as well as a system-wide >ation for individual user accounts as well as a system-wide 
>startup folder that will be checked regardless of which user>startup folder that will be checked regardless of which user
> account logs in. The startup folder path for the current us> account logs in. The startup folder path for the current us
>er is <code>C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Wi>er is <code>C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Wi
>ndows\\Start Menu\\Programs\\Startup</code>. The startup folder>ndows\\Start Menu\\Programs\\Startup</code>. The startup folder
> path for all users is <code>C:\\ProgramData\\Microsoft\\Window> path for all users is <code>C:\\ProgramData\\Microsoft\\Window
>s\\Start Menu\\Programs\\StartUp</code>.  The following run key>s\\Start Menu\\Programs\\StartUp</code>.  The following run key
>s are created by default on Windows systems: * <code>HKEY_CU>s are created by default on Windows systems:  * <code>HKEY_C
>RRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</co>URRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</c
>de> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Cur>ode> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Cu
>rentVersion\\RunOnce</code> * <code>HKEY_LOCAL_MACHINE\\Softwa>rrentVersion\\RunOnce</code> * <code>HKEY_LOCAL_MACHINE\\Softw
>re\\Microsoft\\Windows\\CurrentVersion\\Run</code> * <code>HKEY_>are\\Microsoft\\Windows\\CurrentVersion\\Run</code> * <code>HKEY
>LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunO>_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
>nce</code>  The <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\>Once</code>  Run keys may exist under multiple hives.(Citati
>Windows\\CurrentVersion\\RunOnceEx</code> is also available bu>on: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow64
>t is not created by default on Windows Vista and newer. Regi>32Node 2016) The <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft
>stry run key entries can reference programs directly or list>\\Windows\\CurrentVersion\\RunOnceEx</code> is also available b
> them as a dependency. (Citation: Microsoft RunOnceEx APR 20>ut is not created by default on Windows Vista and newer. Reg
>18) For example, it is possible to load a DLL at logon using>istry run key entries can reference programs directly or lis
> a \"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\>t them as a dependency. (Citation: Microsoft RunOnceEx APR 2
>Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 >018) For example, it is possible to load a DLL at logon usin
>/d \"C:\\temp\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnce>g a \"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE
>Ex Mar 2018)  The following Registry keys can be used to set>\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1
> startup folder items for persistence: * <code>HKEY_CURRENT_> /d \"C:\\temp\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnc
>USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User>eEx Mar 2018)  The following Registry keys can be used to se
> Shell Folders</code> * <code>HKEY_CURRENT_USER\\Software\\Mic>t startup folder items for persistence:  * <code>HKEY_CURREN
>rosoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code> >T_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Us
>* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Curren>er Shell Folders</code> * <code>HKEY_CURRENT_USER\\Software\\M
>tVersion\\Explorer\\Shell Folders</code> * <code>HKEY_LOCAL_MA>icrosoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code
>CHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Use>> * <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Curr
>r Shell Folders</code>  The following Registry keys can cont>entVersion\\Explorer\\Shell Folders</code> * <code>HKEY_LOCAL_
>rol automatic startup of services during boot: * <code>HKEY_>MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\U
>LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunS>ser Shell Folders</code>  The following Registry keys can co
>ervicesOnce</code> * <code>HKEY_CURRENT_USER\\Software\\Micros>ntrol automatic startup of services during boot:  * <code>HK
>oft\\Windows\\CurrentVersion\\RunServicesOnce</code> * <code>HK>EY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\R
>EY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\R>unServicesOnce</code> * <code>HKEY_CURRENT_USER\\Software\\Mic
>unServices</code> * <code>HKEY_CURRENT_USER\\Software\\Microso>rosoft\\Windows\\CurrentVersion\\RunServicesOnce</code> * <code
>ft\\Windows\\CurrentVersion\\RunServices</code>  Using policy s>>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersio
>ettings to specify startup programs creates corresponding va>n\\RunServices</code> * <code>HKEY_CURRENT_USER\\Software\\Micr
>lues in either of two Registry keys: * <code>HKEY_LOCAL_MACH>osoft\\Windows\\CurrentVersion\\RunServices</code>  Using polic
>INE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explo>y settings to specify startup programs creates corresponding
>rer\\Run</code> * <code>HKEY_CURRENT_USER\\Software\\Microsoft\\> values in either of two Registry keys:  * <code>HKEY_LOCAL_
>Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>  The Win>MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\E
>logon key controls actions that occur when a user logs on to>xplorer\\Run</code> * <code>HKEY_CURRENT_USER\\Software\\Micros
> a computer running Windows 7. Most of these actions are und>oft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>  The
>er the control of the operating system, but you can also add> Winlogon key controls actions that occur when a user logs o
> custom actions here. The <code>HKEY_LOCAL_MACHINE\\Software\\>n to a computer running Windows 7. Most of these actions are
>Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit</code>> under the control of the operating system, but you can also
> and <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\> add custom actions here. The <code>HKEY_LOCAL_MACHINE\\Softw
>CurrentVersion\\Winlogon\\Shell</code> subkeys can automatical>are\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit</c
>ly launch programs.  Programs listed in the load value of th>ode> and <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows
>e registry key <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Wi> NT\\CurrentVersion\\Winlogon\\Shell</code> subkeys can automat
>ndows NT\\CurrentVersion\\Windows</code> run when any user log>ically launch programs.  Programs listed in the load value o
>s on.  By default, the multistring <code>BootExecute</code> >f the registry key <code>HKEY_CURRENT_USER\\Software\\Microsof
>value of the registry key <code>HKEY_LOCAL_MACHINE\\System\\Cu>t\\Windows NT\\CurrentVersion\\Windows</code> run when any user
>rrentControlSet\\Control\\Session Manager</code> is set to <co> logs on.  By default, the multistring <code>BootExecute</co
>de>autocheck autochk *</code>. This value causes Windows, at>de> value of the registry key <code>HKEY_LOCAL_MACHINE\\Syste
> startup, to check the file-system integrity of the hard dis>m\\CurrentControlSet\\Control\\Session Manager</code> is set to
>ks if the system has been shut down abnormally. Adversaries > <code>autocheck autochk *</code>. This value causes Windows
>can add other programs or processes to this registry value w>, at startup, to check the file-system integrity of the hard
>hich will automatically launch at boot.  Adversaries can use> disks if the system has been shut down abnormally. Adversar
> these configuration locations to execute malware, such as r>ies can add other programs or processes to this registry val
>emote access tools, to maintain persistence through system r>ue which will automatically launch at boot.  Adversaries can
>eboots. Adversaries may also use [Masquerading](https://atta> use these configuration locations to execute malware, such 
>ck.mitre.org/techniques/T1036) to make the Registry entries >as remote access tools, to maintain persistence through syst
>look as if they are associated with legitimate programs.>em reboots. Adversaries may also use [Masquerading](https://
 >attack.mitre.org/techniques/T1036) to make the Registry entr
 >ies look as if they are associated with legitimate programs.
", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:30:38.910000+00:00", "modified": "2020-08-03 16:47:37.240000+00:00", "name": "Boot or Logon Initialization Scripts", "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1037", "external_id": "T1037" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/564.html", "external_id": "CAPEC-564" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring", "Process monitoring" ], "x_mitre_detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "macOS", "Windows", "Linux" ], "x_mitre_version": "2.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-03 16:47:37.240000+00:00\", \"old_value\": \"2020-03-27 16:49:15.953000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][2]\": \"Linux\"}}", "previous_version": "2.0", "version_change": "2.0 \u2192 2.1", "changelog_mitigations": { "shared": [ "M1022: Restrict File and Directory Permissions", "M1024: Restrict Registry Permissions", "T1037: Logon Scripts Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-11 18:39:59.959000+00:00", "modified": "2020-10-19 22:43:45.475000+00:00", "name": "Credential Stuffing", "description": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nCredential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.\n\nTypically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1110/004", "external_id": "T1110.004" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/600.html", "external_id": "CAPEC-600" }, { "source_name": "US-CERT TA18-068A 2018", "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Diogo Fernandes", "Anastasios Pingios" ], "x_mitre_data_sources": [ "Authentication logs", "Office 365 account logs" ], "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure", "Office 365", "Azure AD", "SaaS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-600\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-19 22:43:45.475000+00:00\", \"old_value\": \"2020-03-29 20:35:36.694000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"US-CERT TA18-068A 2018\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/600.html\", \"old_value\": \"https://www.us-cert.gov/ncas/alerts/TA18-086A\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"US-CERT TA18-068A 2018\", \"description\": \"US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.\", \"url\": \"https://www.us-cert.gov/ncas/alerts/TA18-086A\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1027: Password Policies", "M1032: Multi-factor Authentication", "M1036: Account Use Policies" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-11 18:38:56.197000+00:00", "modified": "2020-09-16 15:39:59.041000+00:00", "name": "Password Cracking", "description": "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1110/002", "external_id": "T1110.002" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/55.html", "external_id": "CAPEC-55" }, { "source_name": "Wikipedia Password cracking", "description": "Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.", "url": "https://en.wikipedia.org/wiki/Password_cracking" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Authentication logs", "Office 365 account logs" ], "x_mitre_detection": "It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Office 365", "Azure AD" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-55\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 15:39:59.041000+00:00\", \"old_value\": \"2020-07-09 17:01:18.054000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Wikipedia Password cracking\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/55.html\", \"old_value\": \"https://en.wikipedia.org/wiki/Password_cracking\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Wikipedia Password cracking\", \"description\": \"Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.\", \"url\": \"https://en.wikipedia.org/wiki/Password_cracking\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1027: Password Policies", "M1032: Multi-factor Authentication" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-11 18:38:22.617000+00:00", "modified": "2020-10-19 22:43:45.126000+00:00", "name": "Password Guessing", "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\n\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1110/001", "external_id": "T1110.001" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/49.html", "external_id": "CAPEC-49" }, { "source_name": "Cylance Cleaver", "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" }, { "source_name": "US-CERT TA18-068A 2018", "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Microsoft Threat Intelligence Center (MSTIC)" ], "x_mitre_data_sources": [ "Authentication logs", "Office 365 account logs" ], "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Office 365", "GCP", "Azure AD", "AWS", "Azure", "SaaS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-49\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-19 22:43:45.126000+00:00\", \"old_value\": \"2020-03-29 17:11:46.504000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Cylance Cleaver\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/49.html\", \"old_value\": \"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Cylance Cleaver\", \"old_value\": \"US-CERT TA18-068A 2018\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.\", \"old_value\": \"US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf\", \"old_value\": \"https://www.us-cert.gov/ncas/alerts/TA18-086A\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"US-CERT TA18-068A 2018\", \"description\": \"US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.\", \"url\": \"https://www.us-cert.gov/ncas/alerts/TA18-086A\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1027: Password Policies", "M1032: Multi-factor Authentication", "M1036: Account Use Policies" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-11 18:39:25.122000+00:00", "modified": "2020-10-19 22:43:45.579000+00:00", "name": "Password Spraying", "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\n\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1110/003", "external_id": "T1110.003" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/565.html", "external_id": "CAPEC-565" }, { "source_name": "BlackHillsInfosec Password Spraying", "description": "Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017.", "url": "http://www.blackhillsinfosec.com/?p=4645" }, { "source_name": "US-CERT TA18-068A 2018", "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" }, { "source_name": "Trimarc Detecting Password Spraying", "description": "Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.", "url": "https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Microsoft Threat Intelligence Center (MSTIC)", "John Strand" ], "x_mitre_data_sources": [ "Authentication logs", "Office 365 account logs" ], "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nConsider the following event IDs:(Citation: Trimarc Detecting Password Spraying)\n\n* Domain Controllers: \"Audit Logon\" (Success & Failure) for event ID 4625.\n* Domain Controllers: \"Audit Kerberos Authentication Service\" (Success & Failure) for event ID 4771.\n* All systems: \"Audit Logon\" (Success & Failure) for event ID 4648.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure", "Office 365", "Azure AD", "SaaS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-565\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-19 22:43:45.579000+00:00\", \"old_value\": \"2020-03-29 17:13:57.172000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"BlackHillsInfosec Password Spraying\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/565.html\", \"old_value\": \"http://www.blackhillsinfosec.com/?p=4645\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"BlackHillsInfosec Password Spraying\", \"old_value\": \"US-CERT TA18-068A 2018\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017.\", \"old_value\": \"US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"http://www.blackhillsinfosec.com/?p=4645\", \"old_value\": \"https://www.us-cert.gov/ncas/alerts/TA18-086A\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"US-CERT TA18-068A 2018\", \"old_value\": \"Trimarc Detecting Password Spraying\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.\", \"old_value\": \"Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://www.us-cert.gov/ncas/alerts/TA18-086A\", \"old_value\": \"https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"Trimarc Detecting Password Spraying\", \"description\": \"Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.\", \"url\": \"https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1027: Password Policies", "M1032: Multi-factor Authentication", "M1036: Account Use Policies" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:30:49.546000+00:00", "modified": "2020-10-22 16:43:39.362000+00:00", "name": "Command and Scripting Interpreter", "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nThere are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1059", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Windows event logs", "PowerShell logs", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.\n\nIf scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Network" ], "x_mitre_remote_support": false, "x_mitre_version": "2.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-22 16:43:39.362000+00:00\", \"old_value\": \"2020-06-25 03:32:51.380000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][3]\": \"Network\"}}", "previous_version": "2.0", "version_change": "2.0 \u2192 2.1", "changelog_mitigations": { "shared": [ "M1021: Restrict Web-Based Content", "M1026: Privileged Account Management", "M1038: Execution Prevention", "M1042: Disable or Remove Feature or Program", "M1045: Code Signing", "M1049: Antivirus/Antimalware" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-09 14:07:54.329000+00:00", "modified": "2020-08-03 21:40:51.878000+00:00", "name": "AppleScript", "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\n\nAppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s\u00a0NSAppleScript\u00a0or\u00a0OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1059/002", "external_id": "T1059.002" }, { "source_name": "Apple AppleScript", "description": "Apple. (2016, January 25). Introduction to AppleScript Language Guide. Retrieved March 28, 2020.", "url": "https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html" }, { "source_name": "SentinelOne AppleScript", "description": "Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript For Attacking macOS. Retrieved July 17, 2020.", "url": "https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/" }, { "source_name": "SentinelOne macOS Red Team", "description": "Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020.", "url": "https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/" }, { "source_name": "Macro Malware Targets Macs", "description": "Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Phil Stokes, SentinelOne" ], "x_mitre_data_sources": [ "API monitoring", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "macOS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Phil Stokes, SentinelOne\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-03 21:40:51.878000+00:00\", \"old_value\": \"2020-04-14 13:28:17.696000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\\n\\nScripts can be run from the command-line via osascript /path/to/script or osascript -e \\\"script here\\\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\\n\\nAppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s\\u00a0NSAppleScript\\u00a0or\\u00a0OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\\n\\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)\", \"old_value\": \"Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. (Citation: Apple AppleScript) These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.\\n\\nosascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\\n\\nAdversaries can use this to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006)(Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via osascript /path/to/script or osascript -e \\\"script here\\\".\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n-Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. (Citation: Apple AppleScript) These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.\\n+Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\\n \\n-osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\\n+Scripts can be run from the command-line via osascript /path/to/script or osascript -e \\\"script here\\\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\\n \\n-Adversaries can use this to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006)(Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via osascript /path/to/script or osascript -e \\\"script here\\\".\\n+AppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s\\u00a0NSAppleScript\\u00a0or\\u00a0OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\\n+\\n+Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"SentinelOne AppleScript\", \"old_value\": \"Macro Malware Targets Macs\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript For Attacking macOS. Retrieved July 17, 2020.\", \"old_value\": \"Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/\", \"old_value\": \"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\\n\\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\", \"old_value\": \"Monitor for execution of AppleScript through osascript that may be related to other suspicious behavior occurring on the system.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-Monitor for execution of AppleScript through osascript that may be related to other suspicious behavior occurring on the system.\\n+Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\\n+\\n+Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"SentinelOne macOS Red Team\", \"description\": \"Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020.\", \"url\": \"https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/\"}, \"root['external_references'][4]\": {\"source_name\": \"Macro Malware Targets Macs\", \"description\": \"Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.\", \"url\": \"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/\"}, \"root['x_mitre_data_sources'][0]\": \"API monitoring\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may abuse AppleScript for execution. AppleScriptt1Adversaries may abuse AppleScript for execution. AppleScript
> is a macOS scripting language designed to control applicati> is a macOS scripting language designed to control applicati
>ons and parts of the OS via inter-application messages calle>ons and parts of the OS via inter-application messages calle
>d AppleEvents. (Citation: Apple AppleScript) These AppleEven>d AppleEvents.(Citation: Apple AppleScript) These AppleEvent
>t messages can be easily scripted with AppleScript for local> messages can be sent independently or easily scripted with 
> or remote execution.  <code>osascript</code> executes Apple>AppleScript. These events can locate open windows, send keys
>Script and any other Open Scripting Architecture (OSA) langu>trokes, and interact with almost any open application locall
>age scripts. A list of OSA languages installed on a system c>y or remotely.  Scripts can be run from the command-line via
>an be found by using the <code>osalang</code> program. Apple> <code>osascript /path/to/script</code> or <code>osascript -
>Event messages can be sent independently or as part of a scr>e \"script here\"</code>. Aside from the command line, scripts
>ipt. These events can locate open windows, send keystrokes, > can be executed in numerous ways including Mail rules, Cale
>and interact with almost any open application locally or rem>ndar.app alarms, and Automator workflows. AppleScripts can a
>otely.  Adversaries can use this to execute various behavior>lso be executed as plain text shell scripts by adding <code>
>s, such as interacting with an open SSH connection, moving t>#!/usr/bin/osascript</code> to the start of the script file.
>o remote machines, and even presenting users with fake dialo>(Citation: SentinelOne AppleScript)  AppleScripts do not nee
>g boxes. These events cannot start applications remotely (th>d to call <code>osascript</code> to execute, however. They m
>ey can start them locally though), but can interact with app>ay be executed from within mach-O binaries by using the macO
>lications if they're already running remotely. Since this is>S [Native API](https://attack.mitre.org/techniques/T1106)s\u00a0<
> a scripting language, it can be used to launch more common >code>NSAppleScript</code>\u00a0or\u00a0<code>OSAScript</code>, both of
>techniques as well such as a reverse shell via [Python](http> which execute code independent of the <code>/usr/bin/osascr
>s://attack.mitre.org/techniques/T1059/006)(Citation: Macro M>ipt</code> command line utility.  Adversaries may abuse Appl
>alware Targets Macs). Scripts can be run from the command-li>eScript to execute various behaviors, such as interacting wi
>ne via <code>osascript /path/to/script</code> or <code>osasc>th an open SSH connection, moving to remote machines, and ev
>ript -e \"script here\"</code>.>en presenting users with fake dialog boxes. These events can
 >not start applications remotely (they can start them locally
 >), but they can interact with applications if they're alread
 >y running remotely. On macOS 10.10 Yosemite and higher, Appl
 >eScript has the ability to execute [Native API](https://atta
 >ck.mitre.org/techniques/T1106)s, which otherwise would requi
 >re compilation and execution in a mach-O binary file format.
 >(Citation: SentinelOne macOS Red Team). Since this is a scri
 >pting language, it can be used to launch more common techniq
 >ues as well such as a reverse shell via [Python](https://att
 >ack.mitre.org/techniques/T1059/006).(Citation: Macro Malware
 > Targets Macs)
", "changelog_mitigations": { "shared": [ "M1038: Execution Prevention", "M1045: Code Signing" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-09 14:29:51.508000+00:00", "modified": "2020-08-13 20:09:39.122000+00:00", "name": "Visual Basic", "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1059/005", "external_id": "T1059.005" }, { "source_name": "VB .NET Mar 2020", "description": ".NET Team. (2020, March 11). Visual Basic support planned for .NET 5.0. Retrieved June 23, 2020.", "url": "https://devblogs.microsoft.com/vbteam/visual-basic-support-planned-for-net-5-0/" }, { "source_name": "VB Microsoft", "description": "Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020.", "url": "https://docs.microsoft.com/dotnet/visual-basic/" }, { "source_name": "Microsoft VBA", "description": "Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020.", "url": "https://docs.microsoft.com/office/vba/api/overview/" }, { "source_name": "Wikipedia VBA", "description": "Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020.", "url": "https://en.wikipedia.org/wiki/Visual_Basic_for_Applications" }, { "source_name": "Microsoft VBScript", "description": "Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.", "url": "https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "DLL monitoring", "Loaded DLLs", "File monitoring", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM" ], "x_mitre_platforms": [ "Windows", "macOS", "Linux" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-13 20:09:39.122000+00:00\", \"old_value\": \"2020-06-25 03:32:51.046000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\\n\\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\\n\\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.\", \"old_value\": \"Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\\n\\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\\n\\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\\n \\n-Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\\n+Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\\n \\n Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Wikipedia VBA\", \"old_value\": \"Microsoft VBScript\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020.\", \"old_value\": \"Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://en.wikipedia.org/wiki/Visual_Basic_for_Applications\", \"old_value\": \"https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"Microsoft VBScript\", \"description\": \"Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.\", \"url\": \"https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may abuse Visual Basic (VB) for execution. VB ist1Adversaries may abuse Visual Basic (VB) for execution. VB is
> a programming language created by Microsoft with interopera> a programming language created by Microsoft with interopera
>bility with many Windows technologies such as [Component Obj>bility with many Windows technologies such as [Component Obj
>ect Model](https://attack.mitre.org/techniques/T1559/001) an>ect Model](https://attack.mitre.org/techniques/T1559/001) an
>d the [Native API](https://attack.mitre.org/techniques/T1106>d the [Native API](https://attack.mitre.org/techniques/T1106
>) through the Windows API. Although tagged as legacy with no>) through the Windows API. Although tagged as legacy with no
> planned future evolutions, VB is integrated and supported i> planned future evolutions, VB is integrated and supported i
>n the .NET Framework and cross-platform .NET Core.(Citation:>n the .NET Framework and cross-platform .NET Core.(Citation:
> VB .NET Mar 2020)(Citation: VB Microsoft)  Derivative langu> VB .NET Mar 2020)(Citation: VB Microsoft)  Derivative langu
>ages based on VB have also been created, such as Visual Basi>ages based on VB have also been created, such as Visual Basi
>c for Applications (VBA) and VBScript. VBA is an event-drive>c for Applications (VBA) and VBScript. VBA is an event-drive
>n programming language built into Office applications.(Citat>n programming language built into Microsoft Office, as well 
>ion: Microsoft VBA)  VBA enables documents to contain macros>as several third-party applications.(Citation: Microsoft VBA
> used to automate the execution of tasks and other functiona>)(Citation: Wikipedia VBA) VBA enables documents to contain 
>lity on the host. VBScript is a default scripting language o>macros used to automate the execution of tasks and other fun
>n Windows hosts and can also be used in place of [JavaScript>ctionality on the host. VBScript is a default scripting lang
>/JScript](https://attack.mitre.org/techniques/T1059/007) on >uage on Windows hosts and can also be used in place of [Java
>HTML Application (HTA) webpages served to Internet Explorer >Script/JScript](https://attack.mitre.org/techniques/T1059/00
>(though most modern browsers do not come with VBScript suppo>7) on HTML Application (HTA) webpages served to Internet Exp
>rt).(Citation: Microsoft VBScript)  Adversaries may use VB p>lorer (though most modern browsers do not come with VBScript
>ayloads to execute malicious commands. Common malicious usag> support).(Citation: Microsoft VBScript)  Adversaries may us
>e includes automating execution of behaviors with VBScript o>e VB payloads to execute malicious commands. Common maliciou
>r embedding VBA content into [Spearphishing Attachment](http>s usage includes automating execution of behaviors with VBSc
>s://attack.mitre.org/techniques/T1566/001) payloads.>ript or embedding VBA content into [Spearphishing Attachment
 >](https://attack.mitre.org/techniques/T1566/001) payloads.
", "changelog_mitigations": { "shared": [ "M1021: Restrict Web-Based Content", "M1038: Execution Prevention", "M1042: Disable or Remove Feature or Program", "M1049: Antivirus/Antimalware" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-17 19:23:15.227000+00:00", "modified": "2020-09-16 15:46:44.130000+00:00", "name": "Launch Daemon", "description": "Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple\u2019s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence). \n\nAdversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root. \n\nThe plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon\u2019s executable and gain persistence or Privilege Escalation. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1543/004", "external_id": "T1543.004" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/550.html", "external_id": "CAPEC-550" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/551.html", "external_id": "CAPEC-551" }, { "source_name": "AppleDocs Launch Agent Daemons", "description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.", "url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" }, { "source_name": "Methods of Mac Malware Persistence", "description": "Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.", "url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf" }, { "source_name": "OSX Malware Detection", "description": "Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.", "url": "https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf" }, { "source_name": "WireLurker", "description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.", "url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring" ], "x_mitre_detection": "Monitor for launch daemon creation or modification through plist files and utilities such as Objective-See's KnockKnock application. ", "x_mitre_effective_permissions": [ "root" ], "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "macOS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-550\", \"root['external_references'][2]['external_id']\": \"CAPEC-551\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.\", \"root['external_references'][2]['description']\": \"Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 15:46:44.130000+00:00\", \"old_value\": \"2020-03-25 22:27:49.609000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"AppleDocs Launch Agent Daemons\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/550.html\", \"old_value\": \"https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Methods of Mac Malware Persistence\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/551.html\", \"old_value\": \"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"AppleDocs Launch Agent Daemons\", \"old_value\": \"OSX Malware Detection\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.\", \"old_value\": \"Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html\", \"old_value\": \"https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Methods of Mac Malware Persistence\", \"old_value\": \"WireLurker\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.\", \"old_value\": \"Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf\", \"old_value\": \"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"OSX Malware Detection\", \"description\": \"Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.\", \"url\": \"https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf\"}, \"root['external_references'][6]\": {\"source_name\": \"WireLurker\", \"description\": \"Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.\", \"url\": \"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1018: User Account Management" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-17 19:13:50.402000+00:00", "modified": "2020-09-16 15:49:58.490000+00:00", "name": "Windows Service", "description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). \n\nAdversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.\n\nAn adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036) by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. \n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1543/003", "external_id": "T1543.003" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/478.html", "external_id": "CAPEC-478" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/550.html", "external_id": "CAPEC-550" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/551.html", "external_id": "CAPEC-551" }, { "source_name": "TechNet Services", "description": "Microsoft. (n.d.). Services. Retrieved June 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/cc772408.aspx" }, { "source_name": "TechNet Autoruns", "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.", "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902" }, { "source_name": "Microsoft 4697 APR 2017", "description": "Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018.", "url": "https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697" }, { "source_name": "Microsoft Windows Event Forwarding FEB 2018", "description": "Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018.", "url": "https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Matthew Demaske, Adaptforward", "Travis Smith, Tripwire", "Pedro Harrison" ], "x_mitre_data_sources": [ "API monitoring", "Windows event logs", "Process command-line parameters", "Process monitoring", "File monitoring", "Windows Registry" ], "x_mitre_detection": "Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. Remote access tools with built-in features may also interact directly with the Windows API to perform these functions outside of typical system utilities. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts. \n\nLook for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.(Citation: TechNet Autoruns) \n\nCreation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft Windows Event Forwarding FEB 2018)). New, benign services may be created during installation of new software.\n\nSuspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", "x_mitre_effective_permissions": [ "Administrator", "SYSTEM" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-478\", \"root['external_references'][2]['external_id']\": \"CAPEC-550\", \"root['external_references'][3]['external_id']\": \"CAPEC-551\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Microsoft. (n.d.). Services. Retrieved June 7, 2016.\", \"root['external_references'][2]['description']\": \"Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.\", \"root['external_references'][3]['description']\": \"Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 15:49:58.490000+00:00\", \"old_value\": \"2020-03-25 22:22:10.041000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"TechNet Services\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/478.html\", \"old_value\": \"https://technet.microsoft.com/en-us/library/cc772408.aspx\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"TechNet Autoruns\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/550.html\", \"old_value\": \"https://technet.microsoft.com/en-us/sysinternals/bb963902\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Microsoft 4697 APR 2017\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/551.html\", \"old_value\": \"https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"TechNet Services\", \"old_value\": \"Microsoft Windows Event Forwarding FEB 2018\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Microsoft. (n.d.). Services. Retrieved June 7, 2016.\", \"old_value\": \"Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://technet.microsoft.com/en-us/library/cc772408.aspx\", \"old_value\": \"https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"TechNet Autoruns\", \"description\": \"Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.\", \"url\": \"https://technet.microsoft.com/en-us/sysinternals/bb963902\"}, \"root['external_references'][6]\": {\"source_name\": \"Microsoft 4697 APR 2017\", \"description\": \"Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018.\", \"url\": \"https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697\"}, \"root['external_references'][7]\": {\"source_name\": \"Microsoft Windows Event Forwarding FEB 2018\", \"description\": \"Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018.\", \"url\": \"https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--0df05477-c572-4ed6-88a9-47c581f548f7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-20 15:27:18.581000+00:00", "modified": "2020-09-16 15:54:35.429000+00:00", "name": "OS Exhaustion Flood", "description": "Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity.\n\nDifferent ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)\n\nACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1499/001", "external_id": "T1499.001" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/469.html", "external_id": "CAPEC-469" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/482.html", "external_id": "CAPEC-482" }, { "source_name": "Arbor AnnualDoSreport Jan 2018", "description": "Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.", "url": "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf" }, { "source_name": "Cloudflare SynFlood", "description": "Cloudflare. (n.d.). What is a SYN flood attack?. Retrieved April 22, 2019.", "url": "https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/" }, { "source_name": "Corero SYN-ACKflood", "description": "Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved April 22, 2019.", "url": "https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html" }, { "source_name": "Cisco DoSdetectNetflow", "description": "Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.", "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Network device logs", "Netflow/Enclave netflow", "Network intrusion detection system", "SSL/TLS inspection" ], "x_mitre_detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.", "x_mitre_impact_type": [ "Availability" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-469\", \"root['external_references'][2]['external_id']\": \"CAPEC-482\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.\", \"root['external_references'][2]['description']\": \"Cloudflare. (n.d.). What is a SYN flood attack?. Retrieved April 22, 2019.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 15:54:35.429000+00:00\", \"old_value\": \"2020-03-29 01:43:29.320000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Arbor AnnualDoSreport Jan 2018\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/469.html\", \"old_value\": \"https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Cloudflare SynFlood\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/482.html\", \"old_value\": \"https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Arbor AnnualDoSreport Jan 2018\", \"old_value\": \"Corero SYN-ACKflood\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.\", \"old_value\": \"Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved April 22, 2019.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf\", \"old_value\": \"https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Cloudflare SynFlood\", \"old_value\": \"Cisco DoSdetectNetflow\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Cloudflare. (n.d.). What is a SYN flood attack?. Retrieved April 22, 2019.\", \"old_value\": \"Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/\", \"old_value\": \"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"Corero SYN-ACKflood\", \"description\": \"Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved April 22, 2019.\", \"url\": \"https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html\"}, \"root['external_references'][6]\": {\"source_name\": \"Cisco DoSdetectNetflow\", \"description\": \"Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.\", \"url\": \"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1037: Filter Network Traffic", "T1499: Endpoint Denial of Service Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--38eb0c22-6caf-46ce-8869-5964bd735858", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-20 15:31:43.613000+00:00", "modified": "2020-09-16 15:56:03.131000+00:00", "name": "Service Exhaustion Flood", "description": "Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.\n\nOne example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)\n\nAnother variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1499/002", "external_id": "T1499.002" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/488.html", "external_id": "CAPEC-488" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/489.html", "external_id": "CAPEC-489" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/528.html", "external_id": "CAPEC-528" }, { "source_name": "Arbor AnnualDoSreport Jan 2018", "description": "Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.", "url": "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf" }, { "source_name": "Cloudflare HTTPflood", "description": "Cloudflare. (n.d.). What is an HTTP flood DDoS attack?. Retrieved April 22, 2019.", "url": "https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/" }, { "source_name": "Arbor SSLDoS April 2012", "description": "ASERT Team, Netscout Arbor. (2012, April 24). DDoS Attacks on SSL: Something Old, Something New. Retrieved April 22, 2019.", "url": "https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new" }, { "source_name": "Cisco DoSdetectNetflow", "description": "Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.", "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "Network device logs", "Network intrusion detection system", "Web application firewall logs", "Web logs", "SSL/TLS inspection" ], "x_mitre_detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.", "x_mitre_impact_type": [ "Availability" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure", "Office 365", "Azure AD", "SaaS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-488\", \"root['external_references'][2]['external_id']\": \"CAPEC-489\", \"root['external_references'][3]['external_id']\": \"CAPEC-528\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.\", \"root['external_references'][2]['description']\": \"Cloudflare. (n.d.). What is an HTTP flood DDoS attack?. Retrieved April 22, 2019.\", \"root['external_references'][3]['description']\": \"ASERT Team, Netscout Arbor. (2012, April 24). DDoS Attacks on SSL: Something Old, Something New. Retrieved April 22, 2019.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 15:56:03.131000+00:00\", \"old_value\": \"2020-03-29 01:52:53.947000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Arbor AnnualDoSreport Jan 2018\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/488.html\", \"old_value\": \"https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Cloudflare HTTPflood\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/489.html\", \"old_value\": \"https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Arbor SSLDoS April 2012\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/528.html\", \"old_value\": \"https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Arbor AnnualDoSreport Jan 2018\", \"old_value\": \"Cisco DoSdetectNetflow\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.\", \"old_value\": \"Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf\", \"old_value\": \"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"Cloudflare HTTPflood\", \"description\": \"Cloudflare. (n.d.). What is an HTTP flood DDoS attack?. Retrieved April 22, 2019.\", \"url\": \"https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/\"}, \"root['external_references'][6]\": {\"source_name\": \"Arbor SSLDoS April 2012\", \"description\": \"ASERT Team, Netscout Arbor. (2012, April 24). DDoS Attacks on SSL: Something Old, Something New. Retrieved April 22, 2019.\", \"url\": \"https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new\"}, \"root['external_references'][7]\": {\"source_name\": \"Cisco DoSdetectNetflow\", \"description\": \"Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.\", \"url\": \"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1037: Filter Network Traffic", "T1499: Endpoint Denial of Service Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-22 21:04:23.285000+00:00", "modified": "2020-10-21 18:48:27.576000+00:00", "name": "Event Triggered Execution", "description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)\n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1546", "external_id": "T1546" }, { "source_name": "FireEye WMI 2015", "description": "Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" }, { "source_name": "Malware Persistence on OS X", "description": "Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.", "url": "https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf" }, { "source_name": "amnesia malware", "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "API monitoring", "Windows event logs", "System calls", "Binary file metadata", "Process use of network", "WMI Objects", "File monitoring", "Process command-line parameters", "Process monitoring", "Loaded DLLs", "DLL monitoring", "Windows Registry" ], "x_mitre_detection": "Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity. \n\nThese mechanisms may vary by OS, but are typically stored in central repositories that store configuration information such as the Windows Registry, Common Information Model (CIM), and/or specific named files, the last of which can be hashed and compared to known good values. \n\nMonitor for processes, API/System calls, and other common ways of manipulating these event repositories. \n\nTools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. \n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. ", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 18:48:27.576000+00:00\", \"old_value\": \"2020-07-09 13:55:51.501000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \\n\\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)\\n\\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. \", \"old_value\": \"Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \\n\\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. \\n\\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. \", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \\n \\n-Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. \\n+Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)\\n \\n Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"FireEye WMI 2015\", \"description\": \"Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.\", \"url\": \"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf\"}, \"root['external_references'][2]\": {\"source_name\": \"Malware Persistence on OS X\", \"description\": \"Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.\", \"url\": \"https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf\"}, \"root['external_references'][3]\": {\"source_name\": \"amnesia malware\", \"description\": \"Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.\", \"url\": \"https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may establish persistence and/or elevate privilet1Adversaries may establish persistence and/or elevate privile
>ges using system mechanisms that trigger execution based on >ges using system mechanisms that trigger execution based on 
>specific events. Various operating systems have means to mon>specific events. Various operating systems have means to mon
>itor and subscribe to events such as logons or other user ac>itor and subscribe to events such as logons or other user ac
>tivity such as running specific applications/binaries.   Adv>tivity such as running specific applications/binaries.   Adv
>ersaries may abuse these mechanisms as a means of maintainin>ersaries may abuse these mechanisms as a means of maintainin
>g persistent access to a victim via repeatedly executing mal>g persistent access to a victim via repeatedly executing mal
>icious code. After gaining access to a victim system, advers>icious code. After gaining access to a victim system, advers
>aries may create/modify event triggers to point to malicious>aries may create/modify event triggers to point to malicious
> content that will be executed whenever the event trigger is> content that will be executed whenever the event trigger is
> invoked.   Since the execution can be proxied by an account> invoked.(Citation: FireEye WMI 2015)(Citation: Malware Pers
> with higher permissions, such as SYSTEM or service accounts>istence on OS X)(Citation: amnesia malware)  Since the execu
>, an adversary may be able to abuse these triggered executio>tion can be proxied by an account with higher permissions, s
>n mechanisms to escalate their privileges. >uch as SYSTEM or service accounts, an adversary may be able 
 >to abuse these triggered execution mechanisms to escalate th
 >eir privileges. 
", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-24 15:05:58.384000+00:00", "modified": "2020-08-26 14:18:08.480000+00:00", "name": "Image File Execution Options Injection", "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application\u2019s IFEO will be prepended to the application\u2019s name, effectively launching the new process under the debugger (e.g., C:\\dbg\\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\n\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \"debugger\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\n\nMalware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1546/012", "external_id": "T1546.012" }, { "source_name": "Microsoft Dev Blog IFEO Mar 2010", "description": "Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). Retrieved December 18, 2017.", "url": "https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/" }, { "source_name": "Microsoft GFlags Mar 2017", "description": "Microsoft. (2017, May 23). GFlags Overview. Retrieved December 18, 2017.", "url": "https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview" }, { "source_name": "Microsoft Silent Process Exit NOV 2017", "description": "Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent Process Exit. Retrieved June 27, 2018.", "url": "https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit" }, { "source_name": "Oddvar Moe IFEO APR 2018", "description": "Moe, O. (2018, April 10). Persistence using GlobalFlags in Image File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018.", "url": "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" }, { "source_name": "Tilbury 2014", "description": "Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 12, 2014.", "url": "http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/" }, { "source_name": "Endgame Process Injection July 2017", "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.", "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" }, { "source_name": "FSecure Hupigon", "description": "FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. Retrieved December 18, 2017.", "url": "https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml" }, { "source_name": "Symantec Ushedix June 2008", "description": "Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December 18, 2017.", "url": "https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Oddvar Moe, @oddvarmoe" ], "x_mitre_data_sources": [ "API monitoring", "Windows event logs", "Windows Registry", "Process command-line parameters", "Process monitoring" ], "x_mitre_detection": "Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "SYSTEM" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-26 14:18:08.480000+00:00\", \"old_value\": \"2020-03-24 19:39:50.839000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application\\u2019s IFEO will be prepended to the application\\u2019s name, effectively launching the new process under the debugger (e.g., C:\\\\dbg\\\\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\\n\\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\\\SOFTWARE{\\\\Wow6432Node}\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\\n\\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\\n\\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \\\"cmd.exe,\\\" or another program that provides backdoor access, as a \\\"debugger\\\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \\\"debugger\\\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\\n\\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\\n\\nMalware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)\", \"old_value\": \"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application\\u2019s IFEO will be prepended to the application\\u2019s name, effectively launching the new process under the debugger (e.g., C:\\\\dbg\\\\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\\n\\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\\\SOFTWARE{\\\\Wow6432Node}\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\\n\\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\\n\\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \\\"cmd.exe,\\\" or another program that provides backdoor access, as a \\\"debugger\\\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \\\"debugger\\\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\\n\\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\\n\\nMalware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)\", \"diff\": \"--- \\n+++ \\n@@ -1,8 +1,8 @@\\n-Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application\\u2019s IFEO will be prepended to the application\\u2019s name, effectively launching the new process under the debugger (e.g., C:\\\\dbg\\\\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\\n+Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application\\u2019s IFEO will be prepended to the application\\u2019s name, effectively launching the new process under the debugger (e.g., C:\\\\dbg\\\\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\\n \\n IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\\\SOFTWARE{\\\\Wow6432Node}\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\\n \\n-IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\\n+IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\\n \\n Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \\\"cmd.exe,\\\" or another program that provides backdoor access, as a \\\"debugger\\\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \\\"debugger\\\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\\n \"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\\n\\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)\", \"old_value\": \"Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\\n\\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\\n+Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\\n \\n Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may establish persistence and/or elevate privilet1Adversaries may establish persistence and/or elevate privile
>ges by executing malicious content triggered by Image File E>ges by executing malicious content triggered by Image File E
>xecution Options (IEFO) debuggers. IEFOs enable a developer >xecution Options (IFEO) debuggers. IFEOs enable a developer 
>to attach a debugger to an application. When a process is cr>to attach a debugger to an application. When a process is cr
>eated, a debugger present in an application\u2019s IFEO will be p>eated, a debugger present in an application\u2019s IFEO will be p
>repended to the application\u2019s name, effectively launching th>repended to the application\u2019s name, effectively launching th
>e new process under the debugger (e.g., <code>C:\\dbg\\ntsd.ex>e new process under the debugger (e.g., <code>C:\\dbg\\ntsd.ex
>e -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFE>e -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFE
>O Mar 2010)  IFEOs can be set directly via the Registry or i>O Mar 2010)  IFEOs can be set directly via the Registry or i
>n Global Flags via the GFlags tool. (Citation: Microsoft GFl>n Global Flags via the GFlags tool. (Citation: Microsoft GFl
>ags Mar 2017) IFEOs are represented as <code>Debugger</code>>ags Mar 2017) IFEOs are represented as <code>Debugger</code>
> values in the Registry under <code>HKLM\\SOFTWARE{\\Wow6432No> values in the Registry under <code>HKLM\\SOFTWARE{\\Wow6432No
>de}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution>de}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution
> Options\\<executable></code> where <code>&lt;executable&gt;<> Options\\<executable></code> where <code>&lt;executable&gt;<
>/code> is the binary on which the debugger is attached. (Cit>/code> is the binary on which the debugger is attached. (Cit
>ation: Microsoft Dev Blog IFEO Mar 2010)  IFEOs can also ena>ation: Microsoft Dev Blog IFEO Mar 2010)  IFEOs can also ena
>ble an arbitrary monitor program to be launched when a speci>ble an arbitrary monitor program to be launched when a speci
>fied program silently exits (i.e. is prematurely terminated >fied program silently exits (i.e. is prematurely terminated 
>by itself or a second, non kernel-mode process). (Citation: >by itself or a second, non kernel-mode process). (Citation: 
>Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Mo>Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Mo
>e IFEO APR 2018) Similar to debuggers, silent exit monitorin>e IFEO APR 2018) Similar to debuggers, silent exit monitorin
>g can be enabled through GFlags and/or by directly modifying>g can be enabled through GFlags and/or by directly modifying
> IEFO and silent process exit Registry values in <code>HKEY_> IFEO and silent process exit Registry values in <code>HKEY_
>LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\S>LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\S
>ilentProcessExit\\</code>. (Citation: Microsoft Silent Proces>ilentProcessExit\\</code>. (Citation: Microsoft Silent Proces
>s Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)  Simil>s Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)  Simil
>ar to [Accessibility Features](https://attack.mitre.org/tech>ar to [Accessibility Features](https://attack.mitre.org/tech
>niques/T1546/008), on Windows Vista and later as well as Win>niques/T1546/008), on Windows Vista and later as well as Win
>dows Server 2008 and later, a Registry key may be modified t>dows Server 2008 and later, a Registry key may be modified t
>hat configures \"cmd.exe,\" or another program that provides b>hat configures \"cmd.exe,\" or another program that provides b
>ackdoor access, as a \"debugger\" for an accessibility program>ackdoor access, as a \"debugger\" for an accessibility program
> (ex: utilman.exe). After the Registry is modified, pressing> (ex: utilman.exe). After the Registry is modified, pressing
> the appropriate key combination at the login screen while a> the appropriate key combination at the login screen while a
>t the keyboard or when connected with [Remote Desktop Protoc>t the keyboard or when connected with [Remote Desktop Protoc
>ol](https://attack.mitre.org/techniques/T1021/001) will caus>ol](https://attack.mitre.org/techniques/T1021/001) will caus
>e the \"debugger\" program to be executed with SYSTEM privileg>e the \"debugger\" program to be executed with SYSTEM privileg
>es. (Citation: Tilbury 2014)  Similar to [Process Injection]>es. (Citation: Tilbury 2014)  Similar to [Process Injection]
>(https://attack.mitre.org/techniques/T1055), these values ma>(https://attack.mitre.org/techniques/T1055), these values ma
>y also be abused to obtain privilege escalation by causing a>y also be abused to obtain privilege escalation by causing a
> malicious executable to be loaded and run in the context of> malicious executable to be loaded and run in the context of
> separate processes on the computer. (Citation: Endgame Proc> separate processes on the computer. (Citation: Endgame Proc
>ess Injection July 2017) Installing IFEO mechanisms may also>ess Injection July 2017) Installing IFEO mechanisms may also
> provide Persistence via continuous triggered invocation.  M> provide Persistence via continuous triggered invocation.  M
>alware may also use IFEO to [Impair Defenses](https://attack>alware may also use IFEO to [Impair Defenses](https://attack
>.mitre.org/techniques/T1562) by registering invalid debugger>.mitre.org/techniques/T1562) by registering invalid debugger
>s that redirect and effectively disable various system and s>s that redirect and effectively disable various system and s
>ecurity applications. (Citation: FSecure Hupigon) (Citation:>ecurity applications. (Citation: FSecure Hupigon) (Citation:
> Symantec Ushedix June 2008)> Symantec Ushedix June 2008)
", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18 17:59:24.739000+00:00", "modified": "2020-10-21 01:10:54.358000+00:00", "name": "Exploit Public-Facing Application", "description": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1190", "external_id": "T1190" }, { "source_name": "NVD CVE-2016-6662", "description": "National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018.", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6662" }, { "source_name": "CIS Multiple SMB Vulnerabilities", "description": "CIS. (2017, May 15). Multiple Vulnerabilities in Microsoft Windows SMB Server Could Allow for Remote Code Execution. Retrieved April 3, 2018.", "url": "https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/" }, { "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018", "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" }, { "source_name": "NVD CVE-2014-7169", "description": "National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7169" }, { "source_name": "OWASP Top 10", "description": "OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.", "url": "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project" }, { "source_name": "CWE top 25", "description": "Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019.", "url": "https://cwe.mitre.org/top25/index.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Praetorian" ], "x_mitre_data_sources": [ "Azure activity logs", "AWS CloudTrail logs", "Stackdriver logs", "Packet capture", "Web logs", "Web application firewall logs", "Application logs" ], "x_mitre_detection": "Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "Windows", "macOS", "AWS", "GCP", "Azure", "Network" ], "x_mitre_version": "2.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 01:10:54.358000+00:00\", \"old_value\": \"2020-02-18 16:10:38.866000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \\n\\nIf an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.\\n\\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)\", \"old_value\": \"Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).\\n\\nIf an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.\\n\\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)\", \"diff\": \"--- \\n+++ \\n@@ -1,4 +1,4 @@\\n-Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).\\n+Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \\n \\n If an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.\\n \"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"US-CERT TA18-106A Network Infrastructure Devices 2018\", \"old_value\": \"NVD CVE-2014-7169\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.\", \"old_value\": \"National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://us-cert.cisa.gov/ncas/alerts/TA18-106A\", \"old_value\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-7169\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Cisco Blog Legacy Device Attacks\", \"old_value\": \"OWASP Top 10\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.\", \"old_value\": \"OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954\", \"old_value\": \"https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"NVD CVE-2014-7169\", \"old_value\": \"CWE top 25\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.\", \"old_value\": \"Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-7169\", \"old_value\": \"https://cwe.mitre.org/top25/index.html\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"OWASP Top 10\", \"description\": \"OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.\", \"url\": \"https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\"}, \"root['external_references'][7]\": {\"source_name\": \"CWE top 25\", \"description\": \"Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019.\", \"url\": \"https://cwe.mitre.org/top25/index.html\"}, \"root['x_mitre_platforms'][6]\": \"Network\"}}", "previous_version": "2.1", "version_change": "2.1 \u2192 2.2", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may attempt to take advantage of a weakness in at1Adversaries may attempt to take advantage of a weakness in a
>n Internet-facing computer or program using software, data, >n Internet-facing computer or program using software, data, 
>or commands in order to cause unintended or unanticipated be>or commands in order to cause unintended or unanticipated be
>havior. The weakness in the system can be a bug, a glitch, o>havior. The weakness in the system can be a bug, a glitch, o
>r a design vulnerability. These applications are often websi>r a design vulnerability. These applications are often websi
>tes, but can include databases (like SQL)(Citation: NVD CVE->tes, but can include databases (like SQL)(Citation: NVD CVE-
>2016-6662), standard services (like SMB(Citation: CIS Multip>2016-6662), standard services (like SMB(Citation: CIS Multip
>le SMB Vulnerabilities) or SSH), and another applications >le SMB Vulnerabilities) or SSH), network device administrati
>with Internet accessible open sockets, such as web servers a>on and management protocols (like SNMP and Smart Install(Cit
>nd related services.(Citation: NVD CVE-2014-7169) Depending >ation: US-CERT TA18-106A Network Infrastructure Devices 2018
>on the flaw being exploited this may include [Exploitation f>)(Citation: Cisco Blog LegacDevice Attacks)), and any othe
>or Defense Evasion](https://attack.mitre.org/techniques/T121>r applications with Internet accessible open sockets, such a
>1).  If an application is hosted on cloud-based infrastructu>s web servers and related services.(Citation: NVD CVE-2014-7
>re, then exploiting it may lead to compromise of the underly>169) Depending on the flaw being exploited this may include 
>ing instance. This can allow an adversary a path to access t>[Exploitation for Defense Evasion](https://attack.mitre.org/
>he cloud APIs or to take advantage of weak identity and acce>techniques/T1211).   If an application is hosted on cloud-ba
>ss management policies.  For websites and databases, the OWA>sed infrastructure, then exploiting it may lead to compromis
>SP top 10 and CWE top 25 highlight the most common web-based>e of the underlying instance. This can allow an adversary a 
> vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top >path to access the cloud APIs or to take advantage of weak i
>25)>dentity and access management policies.  For websites and da
 >tabases, the OWASP top 10 and CWE top 25 highlight the most 
 >common web-based vulnerabilities.(Citation: OWASP Top 10)(Ci
 >tation: CWE top 25)
", "changelog_mitigations": { "shared": [ "M1016: Vulnerability Scanning", "M1026: Privileged Account Management", "M1030: Network Segmentation", "M1048: Application Isolation and Sandboxing", "M1050: Exploit Protection", "M1051: Update Software", "T1190: Exploit Public-Facing Application Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:04.710000+00:00", "modified": "2020-09-16 16:02:16.770000+00:00", "name": "File and Directory Discovery", "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1083", "external_id": "T1083" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/127.html", "external_id": "CAPEC-127" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/497.html", "external_id": "CAPEC-497" }, { "source_name": "Windows Commands JPCERT", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_system_requirements": [ "Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls" ], "x_mitre_version": "1.3", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-127\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 16:02:16.770000+00:00\", \"old_value\": \"2020-03-26 17:18:36.857000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Windows Commands JPCERT\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/127.html\", \"old_value\": \"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"capec\", \"url\": \"https://capec.mitre.org/data/definitions/497.html\", \"external_id\": \"CAPEC-497\"}, \"root['external_references'][3]\": {\"source_name\": \"Windows Commands JPCERT\", \"description\": \"Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.\", \"url\": \"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html\"}}}", "previous_version": "1.2", "version_change": "1.2 \u2192 1.3", "changelog_mitigations": { "shared": [ "T1083: File and Directory Discovery Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-04 19:17:41.767000+00:00", "modified": "2020-09-01 20:05:05.268000+00:00", "name": "Windows File and Directory Permissions Modification", "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1222/001", "external_id": "T1222.001" }, { "source_name": "Hybrid Analysis Icacls1 June 2018", "description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.", "url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100" }, { "source_name": "Hybrid Analysis Icacls2 May 2018", "description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.", "url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110" }, { "source_name": "Microsoft DACL May 2018", "description": "Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018.", "url": "https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces" }, { "source_name": "Microsoft Access Control Lists May 2018", "description": "M. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved February 4, 2020.", "url": "https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists" }, { "source_name": "EventTracker File Permissions Feb 2014", "description": "Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018.", "url": "https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Windows event logs", "Process command-line parameters", "Process monitoring", "File monitoring" ], "x_mitre_detection": "Monitor and investigate attempts to modify DACLs and file/directory ownership. Many of the commands used to modify DACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-01 20:05:05.268000+00:00\", \"old_value\": \"2020-03-29 23:07:55.953000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\\n\\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\\n\\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\", \"old_value\": \"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\\n\\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\\n\\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\\n \\n-Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\\n+Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may modify file or directory permissions/attribut1Adversaries may modify file or directory permissions/attribu
>tes to evade access control lists (ACLs) and access protecte>tes to evade access control lists (ACLs) and access protecte
>d files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citati>d files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citati
>on: Hybrid Analysis Icacls2 May 2018) File and directory per>on: Hybrid Analysis Icacls2 May 2018) File and directory per
>missions are commonly managed by ACLs configured by the file>missions are commonly managed by ACLs configured by the file
> or directory owner, or users with the appropriate permissio> or directory owner, or users with the appropriate permissio
>ns. File and directory ACL implementations vary by platform,>ns. File and directory ACL implementations vary by platform,
> but generally explicitly designate which users or groups ca> but generally explicitly designate which users or groups ca
>n perform which actions (read, write, execute, etc.).  Windo>n perform which actions (read, write, execute, etc.).  Windo
>ws implements file and directory ACLs as Discretionary Acces>ws implements file and directory ACLs as Discretionary Acces
>s Control Lists (DACLs).(Citation: Microsoft DACL May 2018) >s Control Lists (DACLs).(Citation: Microsoft DACL May 2018) 
>Similar to a standard ACL, DACLs identifies the accounts tha>Similar to a standard ACL, DACLs identifies the accounts tha
>t are allowed or denied access to a securable object. When a>t are allowed or denied access to a securable object. When a
>n attempt is made to access a securable object, the system c>n attempt is made to access a securable object, the system c
>hecks the access control entries in the DACL in order. If a >hecks the access control entries in the DACL in order. If a 
>matching entry is found, access to the object is granted. Ot>matching entry is found, access to the object is granted. Ot
>herwise, access is denied.(Citation: Microsoft Access Contro>herwise, access is denied.(Citation: Microsoft Access Contro
>l Lists May 2018)  Adversaries can interact with the DACLs u>l Lists May 2018)  Adversaries can interact with the DACLs u
>sing built-in Windows commands, such as `icacls`, `takeown`,>sing built-in Windows commands, such as `icacls`, `cacls`, `
> and `attrib`, which can grant adversaries higher permission>takeown`, and `attrib`, which can grant adversaries higher p
>s on specific files and folders. Further, [PowerShell](https>ermissions on specific files and folders. Further, [PowerShe
>://attack.mitre.org/techniques/T1059/001) provides cmdlets t>ll](https://attack.mitre.org/techniques/T1059/001) provides 
>hat can be used to retrieve or modify file and directory DAC>cmdlets that can be used to retrieve or modify file and dire
>Ls. Specific file and directory modifications may be a requi>ctory DACLs. Specific file and directory modifications may b
>red step for many techniques, such as establishing Persisten>e a required step for many techniques, such as establishing 
>ce via [Accessibility Features](https://attack.mitre.org/tec>Persistence via [Accessibility Features](https://attack.mitr
>hniques/T1546/008), [Boot or Logon Initialization Scripts](h>e.org/techniques/T1546/008), [Boot or Logon Initialization S
>ttps://attack.mitre.org/techniques/T1037), or tainting/hijac>cripts](https://attack.mitre.org/techniques/T1037), or taint
>king other instrumental binary/configuration files via [Hija>ing/hijacking other instrumental binary/configuration files 
>ck Execution Flow](https://attack.mitre.org/techniques/T1574>via [Hijack Execution Flow](https://attack.mitre.org/techniq
>).>ues/T1574).
", "changelog_mitigations": { "shared": [ "M1022: Restrict File and Directory Permissions", "M1026: Privileged Account Management" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18 17:59:24.739000+00:00", "modified": "2020-09-16 16:12:48.086000+00:00", "name": "Hardware Additions", "description": "Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping (Citation: Ossmann Star Feb 2011), man-in-the middle encryption breaking (Citation: Aleks Weapons Nov 2015), keystroke injection (Citation: Hak5 RubberDuck Dec 2016), kernel memory reading via DMA (Citation: Frisk DMA August 2016), adding new wireless access to an existing network (Citation: McMillan Pwn March 2012), and others.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1200", "external_id": "T1200" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/440.html", "external_id": "CAPEC-440" }, { "source_name": "Ossmann Star Feb 2011", "description": "Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018.", "url": "https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html" }, { "source_name": "Aleks Weapons Nov 2015", "description": "Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018.", "url": "http://www.bsidesto.ca/2015/slides/Weapons_of_a_Penetration_Tester.pptx" }, { "source_name": "Hak5 RubberDuck Dec 2016", "description": "Hak5. (2016, December 7). Stealing Files with the USB Rubber Ducky \u2013 USB Exfiltration Explained. Retrieved March 30, 2018.", "url": "https://www.hak5.org/blog/main-blog/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained" }, { "source_name": "Frisk DMA August 2016", "description": "Ulf Frisk. (2016, August 5). Direct Memory Attack the Kernel. Retrieved March 30, 2018.", "url": "https://www.youtube.com/watch?v=fXthwl6ShOg" }, { "source_name": "McMillan Pwn March 2012", "description": "Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018.", "url": "https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Asset management", "Data loss prevention" ], "x_mitre_detection": "Asset management systems may help with the detection of computer systems or network devices that should not exist on a network. \n\nEndpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Windows", "Linux", "macOS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-440\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 16:12:48.086000+00:00\", \"old_value\": \"2020-07-14 19:36:40.493000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Ossmann Star Feb 2011\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/440.html\", \"old_value\": \"https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Ossmann Star Feb 2011\", \"old_value\": \"Aleks Weapons Nov 2015\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018.\", \"old_value\": \"Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html\", \"old_value\": \"http://www.bsidesto.ca/2015/slides/Weapons_of_a_Penetration_Tester.pptx\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Aleks Weapons Nov 2015\", \"old_value\": \"Hak5 RubberDuck Dec 2016\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018.\", \"old_value\": \"Hak5. (2016, December 7). Stealing Files with the USB Rubber Ducky \\u2013 USB Exfiltration Explained. Retrieved March 30, 2018.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"http://www.bsidesto.ca/2015/slides/Weapons_of_a_Penetration_Tester.pptx\", \"old_value\": \"https://www.hak5.org/blog/main-blog/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Hak5 RubberDuck Dec 2016\", \"old_value\": \"Frisk DMA August 2016\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Hak5. (2016, December 7). Stealing Files with the USB Rubber Ducky \\u2013 USB Exfiltration Explained. Retrieved March 30, 2018.\", \"old_value\": \"Ulf Frisk. (2016, August 5). Direct Memory Attack the Kernel. Retrieved March 30, 2018.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://www.hak5.org/blog/main-blog/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained\", \"old_value\": \"https://www.youtube.com/watch?v=fXthwl6ShOg\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"Frisk DMA August 2016\", \"old_value\": \"McMillan Pwn March 2012\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Ulf Frisk. (2016, August 5). Direct Memory Attack the Kernel. Retrieved March 30, 2018.\", \"old_value\": \"Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://www.youtube.com/watch?v=fXthwl6ShOg\", \"old_value\": \"https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"McMillan Pwn March 2012\", \"description\": \"Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018.\", \"url\": \"https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1034: Limit Hardware Installation", "M1035: Limit Access to Resource Over Network", "T1200: Hardware Additions Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-13 20:09:59.569000+00:00", "modified": "2020-09-16 16:49:46.904000+00:00", "name": "LD_PRELOAD", "description": "Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)\n\nAdversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)\n\nLD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1574/006", "external_id": "T1574.006" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/13.html", "external_id": "CAPEC-13" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/640.html", "external_id": "CAPEC-640" }, { "source_name": "Man LD.SO", "description": "Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.", "url": "https://www.man7.org/linux/man-pages/man8/ld.so.8.html" }, { "source_name": "TLDP Shared Libraries", "description": "The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.", "url": "https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html" }, { "source_name": "Code Injection on Linux and macOS", "description": "Itamar Turner-Trauring. (2017, April 18). \u201cThis will only hurt for a moment\u201d: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017.", "url": "https://www.datawire.io/code-injection-on-linux-and-macos/" }, { "source_name": "Uninformed Needle", "description": "skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.", "url": "http://hick.org/code/skape/papers/needle.txt" }, { "source_name": "Phrack halfdead 1997", "description": "halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.", "url": "http://phrack.org/issues/51/8.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Process monitoring", "File monitoring", "Environment variable" ], "x_mitre_detection": "Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-13\", \"root['external_references'][2]['external_id']\": \"CAPEC-640\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.\", \"root['external_references'][2]['description']\": \"The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 16:49:46.904000+00:00\", \"old_value\": \"2020-06-15 21:59:25.358000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Man LD.SO\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/13.html\", \"old_value\": \"https://www.man7.org/linux/man-pages/man8/ld.so.8.html\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"TLDP Shared Libraries\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/640.html\", \"old_value\": \"https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Man LD.SO\", \"old_value\": \"Code Injection on Linux and macOS\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.\", \"old_value\": \"Itamar Turner-Trauring. (2017, April 18). \\u201cThis will only hurt for a moment\\u201d: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://www.man7.org/linux/man-pages/man8/ld.so.8.html\", \"old_value\": \"https://www.datawire.io/code-injection-on-linux-and-macos/\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"TLDP Shared Libraries\", \"old_value\": \"Uninformed Needle\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.\", \"old_value\": \"skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html\", \"old_value\": \"http://hick.org/code/skape/papers/needle.txt\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"Code Injection on Linux and macOS\", \"old_value\": \"Phrack halfdead 1997\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Itamar Turner-Trauring. (2017, April 18). \\u201cThis will only hurt for a moment\\u201d: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017.\", \"old_value\": \"halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://www.datawire.io/code-injection-on-linux-and-macos/\", \"old_value\": \"http://phrack.org/issues/51/8.html\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"Uninformed Needle\", \"description\": \"skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.\", \"url\": \"http://hick.org/code/skape/papers/needle.txt\"}, \"root['external_references'][7]\": {\"source_name\": \"Phrack halfdead 1997\", \"description\": \"halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.\", \"url\": \"http://phrack.org/issues/51/8.html\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1038: Execution Prevention" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-13 13:51:58.519000+00:00", "modified": "2020-09-17 19:05:23.755000+00:00", "name": "Path Interception by Unquoted Path", "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1574/009", "external_id": "T1574.009" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/38.html", "external_id": "CAPEC-38" }, { "source_name": "Microsoft CurrentControlSet Services", "description": "Microsoft. (2017, April 20). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved March 16, 2020.", "url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree" }, { "source_name": "Help eliminate unquoted path", "description": "Mark Baggett. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved November 8, 2012.", "url": "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464" }, { "source_name": "Windows Unquoted Services", "description": "HackHappy. (2018, April 23). Windows Privilege Escalation \u2013 Unquoted Services. Retrieved August 10, 2018.", "url": "https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/" }, { "source_name": "Windows Privilege Escalation Guide", "description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", "url": "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Stefan Kanthak" ], "x_mitre_data_sources": [ "Process monitoring", "File monitoring" ], "x_mitre_detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-17 19:05:23.755000+00:00\", \"old_value\": \"2020-03-26 19:55:39.867000+00:00\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/38.html\", \"old_value\": \"https://capec.mitre.org/data/definitions/capec.html\"}, \"root['external_references'][1]['external_id']\": {\"new_value\": \"CAPEC-38\", \"old_value\": \"CAPEC-capec\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1022: Restrict File and Directory Permissions", "M1038: Execution Prevention", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-31 12:32:08.228000+00:00", "modified": "2020-10-16 18:09:48.686000+00:00", "name": "Clear Command History", "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\n\nAdversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\n\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1070/003", "external_id": "T1070.003" }, { "source_name": "Microsoft PowerShell Command History", "description": "Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.", "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7" }, { "source_name": "Sophos PowerShell command audit", "description": "jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.", "url": "https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit" }, { "source_name": "Sophos PowerShell Command History Forensics", "description": "Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020.", "url": "https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Vikas Singh, Sophos", "Emile Kenning, Sophos" ], "x_mitre_data_sources": [ "Process command-line parameters", "PowerShell logs", "File monitoring", "Authentication logs" ], "x_mitre_defense_bypassed": [ "Host forensic analysis", "Log analysis" ], "x_mitre_detection": "User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity.\n\nMonitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Vikas Singh, Sophos\", \"Emile Kenning, Sophos\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-16 18:09:48.686000+00:00\", \"old_value\": \"2020-03-29 21:31:03.043000+00:00\"}, \"root['description']\": {\"new_value\": \"In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\\n\\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\\n\\nAdversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.\\n\\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\\n\\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\\n\\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)\", \"old_value\": \"In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.\\n\\nThese logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\\n\\nAdversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE), setting the command history size to zero (export HISTFILESIZE=0), manually clearing the history (history -c), or deleting the bash history file rm ~/.bash_history.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,11 @@\\n-In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.\\n+In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\\n \\n-These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\\n+On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\\n \\n-Adversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE), setting the command history size to zero (export HISTFILESIZE=0), manually clearing the history (history -c), or deleting the bash history file rm ~/.bash_history.\\n+Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.\\n+\\n+On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\\n+\\n+The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\\n+\\n+Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity.\\n\\nMonitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command.\", \"old_value\": \"User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the ~/.bash_history file are indicators of suspicious activity.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the ~/.bash_history file are indicators of suspicious activity.\\n+User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity.\\n+\\n+Monitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Microsoft PowerShell Command History\", \"description\": \"Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7\"}, \"root['external_references'][2]\": {\"source_name\": \"Sophos PowerShell command audit\", \"description\": \"jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.\", \"url\": \"https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit\"}, \"root['external_references'][3]\": {\"source_name\": \"Sophos PowerShell Command History Forensics\", \"description\": \"Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020.\", \"url\": \"https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics\"}, \"root['x_mitre_data_sources'][0]\": \"Process command-line parameters\", \"root['x_mitre_data_sources'][1]\": \"PowerShell logs\", \"root['x_mitre_platforms'][2]\": \"Windows\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1In addition to clearing system logs, an adversary may clear t1In addition to clearing system logs, an adversary may clear 
>the command history of a compromised account to conceal the >the command history of a compromised account to conceal the 
>actions undertaken during an intrusion. macOS and Linux both>actions undertaken during an intrusion. Various command inte
> keep track of the commands users type in their terminal so >rpreters keep track of the commands users type in their term
>that users can retrace what they've done.  These logs can be>inal so that users can retrace what they've done.  On Linux 
> accessed in a few different ways. While logged in, this com>and macOS, these command histories can be accessed in a few 
>mand history is tracked in a file pointed to by the environm>different ways. While logged in, this command history is tra
>ent variable <code>HISTFILE</code>. When a user logs off a s>cked in a file pointed to by the environment variable <code>
>ystem, this information is flushed to a file in the user's h>HISTFILE</code>. When a user logs off a system, this informa
>ome directory called <code>~/.bash_history</code>. The benef>tion is flushed to a file in the user's home directory calle
>it of this is that it allows users to go back to commands th>d <code>~/.bash_history</code>. The benefit of this is that 
>ey've used before in different sessions.  Adversaries can us>it allows users to go back to commands they've used before i
>e a variety of methods to prevent their own commands from ap>n different sessions.  Adversaries may delete their commands
>pear in these logs, such as clearing the history environment> from these logs by manually clearing the history (<code>his
> variable (<code>unset HISTFILE</code>), setting the command>tory -c</code>) or deleting the bash history file <code>rm ~
> history size to zero (<code>export HISTFILESIZE=0</code>), >/.bash_history</code>.  On Windows hosts, PowerShell has two
>manually clearing the history (<code>history -c</code>), or > different command history providers: the built-in history a
>deleting the bash history file <code>rm ~/.bash_history</cod>nd the command history managed by the <code>PSReadLine</code
>e>.>> module. The built-in history only tracks the commands used
 > in the current session. This command history is not availab
 >le to other sessions and is deleted when the session ends.  
 >The <code>PSReadLine</code> command history tracks the comma
 >nds used in all PowerShell sessions and writes them to a fil
 >e (<code>$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLin
 >e\\ConsoleHost_history.txt</code> by default). This history f
 >ile is available to all sessions and contains all past histo
 >ry since the file is not deleted when the session ends.(Cita
 >tion: Microsoft PowerShell Command History)  Adversaries may
 > run the PowerShell command <code>Clear-History</code> to fl
 >ush the entire command history from a current PowerShell ses
 >sion. This, however, will not delete/flush the <code>Console
 >Host_history.txt</code> file. Adversaries may also delete th
 >e <code>ConsoleHost_history.txt</code> file or edit its cont
 >ents to hide PowerShell commands they have run.(Citation: So
 >phos PowerShell command audit)(Citation: Sophos PowerShell C
 >ommand History Forensics)
", "changelog_mitigations": { "shared": [ "M1022: Restrict File and Directory Permissions", "M1039: Environment Variable Permissions", "T1146: Clear Command History Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:30:48.323000+00:00", "modified": "2020-10-21 01:31:35.760000+00:00", "name": "Input Capture", "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1056", "external_id": "T1056" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/569.html", "external_id": "CAPEC-569" }, { "source_name": "Adventures of a Keystroke", "description": "Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.", "url": "http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "John Lambert, Microsoft Threat Intelligence Center" ], "x_mitre_data_sources": [ "Windows Registry", "Windows event logs", "User interface", "Process command-line parameters", "Process monitoring", "PowerShell logs", "Loaded DLLs", "Kernel drivers", "DLL monitoring", "Binary file metadata", "API monitoring" ], "x_mitre_detection": "Detection may vary depending on how input is captured but may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke), monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), and ensuring no unauthorized drivers or kernel modules that could indicate keylogging or API hooking are present.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "Administrator", "SYSTEM", "root", "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Network" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 01:31:35.760000+00:00\", \"old_value\": \"2020-03-24 21:29:13.900000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][3]\": \"Network\"}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-11 18:58:11.791000+00:00", "modified": "2020-10-21 01:30:56.227000+00:00", "name": "Keylogging", "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1056/001", "external_id": "T1056.001" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/568.html", "external_id": "CAPEC-568" }, { "source_name": "Adventures of a Keystroke", "description": "Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.", "url": "http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Windows Registry", "Process monitoring", "API monitoring" ], "x_mitre_detection": "Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "root", "SYSTEM", "User" ], "x_mitre_platforms": [ "Windows", "macOS", "Linux", "Network" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 01:30:56.227000+00:00\", \"old_value\": \"2020-03-24 20:45:52.998000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\\n\\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\\n\\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\\n* Reading raw keystroke data from the hardware buffer.\\n* Windows Registry modifications.\\n* Custom drivers.\\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) \", \"old_value\": \"Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\\n\\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\\n\\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\\n* Reading raw keystroke data from the hardware buffer.\\n* Windows Registry modifications.\\n* Custom drivers.\", \"diff\": \"--- \\n+++ \\n@@ -6,3 +6,4 @@\\n * Reading raw keystroke data from the hardware buffer.\\n * Windows Registry modifications.\\n * Custom drivers.\\n+* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Cisco Blog Legacy Device Attacks\", \"description\": \"Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.\", \"url\": \"https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954\"}, \"root['x_mitre_platforms'][3]\": \"Network\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may log user keystrokes to intercept credentialst1Adversaries may log user keystrokes to intercept credentials
> as the user types them. Keylogging is likely to be used to > as the user types them. Keylogging is likely to be used to 
>acquire credentials for new access opportunities when [OS Cr>acquire credentials for new access opportunities when [OS Cr
>edential Dumping](https://attack.mitre.org/techniques/T1003)>edential Dumping](https://attack.mitre.org/techniques/T1003)
> efforts are not effective, and may require an adversary to > efforts are not effective, and may require an adversary to 
>intercept keystrokes on a system for a substantial period of>intercept keystrokes on a system for a substantial period of
> time before credentials can be successfully captured.  Keyl> time before credentials can be successfully captured.  Keyl
>ogging is the most prevalent type of input capture, with man>ogging is the most prevalent type of input capture, with man
>y different ways of intercepting keystrokes.(Citation: Adven>y different ways of intercepting keystrokes.(Citation: Adven
>tures of a Keystroke) Some methods include:  * Hooking API c>tures of a Keystroke) Some methods include:  * Hooking API c
>allbacks used for processing keystrokes. Unlike [Credential >allbacks used for processing keystrokes. Unlike [Credential 
>API Hooking](https://attack.mitre.org/techniques/T1056/004),>API Hooking](https://attack.mitre.org/techniques/T1056/004),
> this focuses solely on API functions intended for processin> this focuses solely on API functions intended for processin
>g keystroke data. * Reading raw keystroke data from the hard>g keystroke data. * Reading raw keystroke data from the hard
>ware buffer. * Windows Registry modifications. * Custom driv>ware buffer. * Windows Registry modifications. * Custom driv
>ers.>ers. * [Modify System Image](https://attack.mitre.org/techni
 >ques/T1601) may provide adversaries with hooks into the oper
 >ating system of network devices to read raw keystrokes for l
 >ogin sessions.(Citation: Cisco Blog Legacy Device Attacks) 
", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-11 19:07:12.114000+00:00", "modified": "2020-10-16 15:19:48.733000+00:00", "name": "Man-in-the-Middle", "description": "Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nAdversaries may leverage the MiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1557", "external_id": "T1557" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/94.html", "external_id": "CAPEC-94" }, { "source_name": "Rapid7 MiTM Basics", "description": "Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020.", "url": "https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project" ], "x_mitre_data_sources": [ "File monitoring", "Netflow/Enclave netflow", "Packet capture" ], "x_mitre_detection": "Monitor network traffic for anomalies associated with known MiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Windows", "macOS", "Linux" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-16 15:19:48.733000+00:00\", \"old_value\": \"2020-03-31 13:54:08.535000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1030: Network Segmentation", "M1031: Network Intrusion Prevention", "M1035: Limit Access to Resource Over Network", "M1037: Filter Network Traffic", "M1042: Disable or Remove Feature or Program" ], "new": [ "M1017: User Training", "M1041: Encrypt Sensitive Information" ], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-11 19:01:56.887000+00:00", "modified": "2020-10-21 02:41:11.743000+00:00", "name": "Modify Authentication Process", "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows or pluggable authentication modules (PAM) on Unix-based systems, responsible for gathering, storing, and validating credentials. \n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1556", "external_id": "T1556" }, { "source_name": "Clymb3r Function Hook Passwords Sept 2013", "description": "Bialek, J. (2013, September 15). Intercepting Password Changes With Function Hooking. Retrieved November 21, 2017.", "url": "https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/" }, { "source_name": "Dell Skeleton", "description": "Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.", "url": "https://www.secureworks.com/research/skeleton-key-malware-analysis" }, { "source_name": "TechNet Audit Policy", "description": "Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.", "url": "https://technet.microsoft.com/en-us/library/dn487457.aspx" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring", "Authentication logs", "API monitoring", "Windows Registry", "Process monitoring", "DLL monitoring" ], "x_mitre_detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference. \n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)\n\nMonitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton) \n\nMonitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Windows", "Linux", "macOS", "Network" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 02:41:11.743000+00:00\", \"old_value\": \"2020-07-13 21:23:01.762000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][3]\": \"Network\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1025: Privileged Process Integrity", "M1026: Privileged Account Management", "M1028: Operating System Configuration", "M1032: Multi-factor Authentication" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:23.587000+00:00", "modified": "2020-08-13 20:02:49.641000+00:00", "name": "Modify Registry", "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1112", "external_id": "T1112" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/203.html", "external_id": "CAPEC-203" }, { "source_name": "Microsoft Reg", "description": "Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.", "url": "https://technet.microsoft.com/en-us/library/cc732643.aspx" }, { "source_name": "Microsoft Reghide NOV 2006", "description": "Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.", "url": "https://docs.microsoft.com/sysinternals/downloads/reghide" }, { "source_name": "TrendMicro POWELIKS AUG 2014", "description": "Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/" }, { "source_name": "SpectorOps Hiding Reg Jul 2017", "description": "Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.", "url": "https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353" }, { "source_name": "Microsoft Remote", "description": "Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.", "url": "https://technet.microsoft.com/en-us/library/cc754820.aspx" }, { "source_name": "Microsoft 4657 APR 2017", "description": "Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.", "url": "https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657" }, { "source_name": "Microsoft RegDelNull July 2016", "description": "Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.", "url": "https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Bartosz Jerzman", "Travis Smith, Tripwire", "David Lu, Tripwire" ], "x_mitre_data_sources": [ "Windows Registry", "File monitoring", "Process monitoring", "Process command-line parameters", "Windows event logs" ], "x_mitre_defense_bypassed": [ "Host forensic analysis" ], "x_mitre_detection": "Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\n\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-13 20:02:49.641000+00:00\", \"old_value\": \"2020-03-29 22:52:55.930000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\\n\\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\\n\\nMonitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).\", \"old_value\": \"Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\\n\\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\\n\\nMonitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\\n \\n-Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\\n+Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\\n \\n Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2", "changelog_mitigations": { "shared": [ "M1024: Restrict Registry Permissions", "T1112: Modify Registry Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-02 20:07:18.651000+00:00", "modified": "2020-09-16 15:57:12.410000+00:00", "name": "Direct Network Flood", "description": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001) are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\n\nBotnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1498/001", "external_id": "T1498.001" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/125.html", "external_id": "CAPEC-125" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/486.html", "external_id": "CAPEC-486" }, { "source_name": "USNYAG IranianBotnet March 2016", "description": "Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019.", "url": "https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged" }, { "source_name": "Cisco DoSdetectNetflow", "description": "Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.", "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Sensor health and status", "Network protocol analysis", "Netflow/Enclave netflow", "Network intrusion detection system", "Network device logs" ], "x_mitre_detection": "Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a network flood event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", "x_mitre_impact_type": [ "Availability" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure AD", "SaaS", "Azure", "Office 365" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-125\", \"root['external_references'][2]['external_id']\": \"CAPEC-486\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019.\", \"root['external_references'][2]['description']\": \"Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 15:57:12.410000+00:00\", \"old_value\": \"2020-03-29 01:10:52.360000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"USNYAG IranianBotnet March 2016\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/125.html\", \"old_value\": \"https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Cisco DoSdetectNetflow\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/486.html\", \"old_value\": \"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"USNYAG IranianBotnet March 2016\", \"description\": \"Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019.\", \"url\": \"https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged\"}, \"root['external_references'][4]\": {\"source_name\": \"Cisco DoSdetectNetflow\", \"description\": \"Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.\", \"url\": \"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1037: Filter Network Traffic" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-02 20:08:03.691000+00:00", "modified": "2020-09-16 15:58:18.490000+00:00", "name": "Reflection Amplification", "description": "Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017)\n\nReflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1498/002", "external_id": "T1498.002" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/490.html", "external_id": "CAPEC-490" }, { "source_name": "Cloudflare ReflectionDoS May 2017", "description": "Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection (attacks). Retrieved April 23, 2019.", "url": "https://blog.cloudflare.com/reflections-on-reflections/" }, { "source_name": "Cloudflare DNSamplficationDoS", "description": "Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved April 23, 2019.", "url": "https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/" }, { "source_name": "Cloudflare NTPamplifciationDoS", "description": "Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved April 23, 2019.", "url": "https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/" }, { "source_name": "Arbor AnnualDoSreport Jan 2018", "description": "Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.", "url": "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf" }, { "source_name": "Cloudflare Memcrashed Feb 2018", "description": "Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.", "url": "https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/" }, { "source_name": "Cisco DoSdetectNetflow", "description": "Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.", "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Sensor health and status", "Network protocol analysis", "Netflow/Enclave netflow", "Network intrusion detection system", "Network device logs" ], "x_mitre_detection": "Detection of reflection amplification can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a reflection amplification DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", "x_mitre_impact_type": [ "Availability" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "macOS", "Windows", "Linux", "AWS", "Office 365", "Azure AD", "GCP", "Azure", "SaaS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-490\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection (attacks). Retrieved April 23, 2019.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 15:58:18.490000+00:00\", \"old_value\": \"2020-03-23 12:55:30.119000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Cloudflare ReflectionDoS May 2017\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/490.html\", \"old_value\": \"https://blog.cloudflare.com/reflections-on-reflections/\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Cloudflare ReflectionDoS May 2017\", \"old_value\": \"Cloudflare DNSamplficationDoS\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection (attacks). Retrieved April 23, 2019.\", \"old_value\": \"Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved April 23, 2019.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://blog.cloudflare.com/reflections-on-reflections/\", \"old_value\": \"https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Cloudflare DNSamplficationDoS\", \"old_value\": \"Cloudflare NTPamplifciationDoS\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved April 23, 2019.\", \"old_value\": \"Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved April 23, 2019.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/\", \"old_value\": \"https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Cloudflare NTPamplifciationDoS\", \"old_value\": \"Arbor AnnualDoSreport Jan 2018\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved April 23, 2019.\", \"old_value\": \"Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/\", \"old_value\": \"https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"Arbor AnnualDoSreport Jan 2018\", \"old_value\": \"Cloudflare Memcrashed Feb 2018\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.\", \"old_value\": \"Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf\", \"old_value\": \"https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/\"}, \"root['external_references'][6]['source_name']\": {\"new_value\": \"Cloudflare Memcrashed Feb 2018\", \"old_value\": \"Cisco DoSdetectNetflow\"}, \"root['external_references'][6]['description']\": {\"new_value\": \"Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.\", \"old_value\": \"Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.\"}, \"root['external_references'][6]['url']\": {\"new_value\": \"https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/\", \"old_value\": \"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][7]\": {\"source_name\": \"Cisco DoSdetectNetflow\", \"description\": \"Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.\", \"url\": \"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1037: Filter Network Traffic" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:10.728000+00:00", "modified": "2020-10-21 19:41:49.412000+00:00", "name": "Non-Application Layer Protocol", "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution)\n Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1095", "external_id": "T1095" }, { "source_name": "Wikipedia OSI", "description": "Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.", "url": "http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29" }, { "source_name": "Cisco Synful Knock Evolution", "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" }, { "source_name": "Microsoft ICMP", "description": "Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.", "url": "http://support.microsoft.com/KB/170292" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" }, { "source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Ryan Becwar" ], "x_mitre_data_sources": [ "Host network interface", "Netflow/Enclave netflow", "Network intrusion detection system", "Network protocol analysis", "Packet capture", "Process use of network" ], "x_mitre_detection": "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks)\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) \n\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.", "x_mitre_is_subtechnique": false, "x_mitre_network_requirements": true, "x_mitre_platforms": [ "Windows", "Linux", "macOS", "Network" ], "x_mitre_version": "2.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 19:41:49.412000+00:00\", \"old_value\": \"2020-03-11 15:09:26.624000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\\n\\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution)\\n Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.\", \"old_value\": \"Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\\n\\nICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,4 @@\\n Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\\n \\n-ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.\\n+ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution)\\n+ Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Cisco Synful Knock Evolution\", \"old_value\": \"Microsoft ICMP\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.\", \"old_value\": \"Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices\", \"old_value\": \"http://support.microsoft.com/KB/170292\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Microsoft ICMP\", \"old_value\": \"University of Birmingham C2\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.\", \"old_value\": \"Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"http://support.microsoft.com/KB/170292\", \"old_value\": \"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks)\\n\\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) \\n\\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.\", \"old_value\": \"Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.\\n\\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\\n\\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n-Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.\\n+Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks)\\n \\n-Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\\n+Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) \\n \\n Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"Cisco Blog Legacy Device Attacks\", \"description\": \"Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.\", \"url\": \"https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954\"}, \"root['external_references'][5]\": {\"source_name\": \"University of Birmingham C2\", \"description\": \"Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.\", \"url\": \"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf\"}, \"root['x_mitre_platforms'][3]\": \"Network\"}}", "previous_version": "2.0", "version_change": "2.0 \u2192 2.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may use a non-application layer protocol for comt1Adversaries may use a non-application layer protocol for com
>munication between host and C2 server or among infected host>munication between host and C2 server or among infected host
>s within a network. The list of possible protocols is extens>s within a network. The list of possible protocols is extens
>ive.(Citation: Wikipedia OSI) Specific examples include use >ive.(Citation: Wikipedia OSI) Specific examples include use 
>of network layer protocols, such as the Internet Control Mes>of network layer protocols, such as the Internet Control Mes
>sage Protocol (ICMP), transport layer protocols, such as the>sage Protocol (ICMP), transport layer protocols, such as the
> User Datagram Protocol (UDP), session layer protocols, such> User Datagram Protocol (UDP), session layer protocols, such
> as Socket Secure (SOCKS), as well as redirected/tunneled pr> as Socket Secure (SOCKS), as well as redirected/tunneled pr
>otocols, such as Serial over LAN (SOL).  ICMP communication >otocols, such as Serial over LAN (SOL).  ICMP communication 
>between hosts is one example. Because ICMP is part of the In>between hosts is one example.(Citation: Cisco Synful Knock E
>ternet Protocol Suite, it is required to be implemented by a>volution)  Because ICMP is part of the Internet Protocol Sui
>ll IP-compatible hosts; (Citation: Microsoft ICMP) however, >te, it is required to be implemented by all IP-compatible ho
>it is not as commonly monitored as other Internet Protocols >sts; (Citation: Microsoft ICMP) however, it is not as common
>such as TCP or UDP and may be used by adversaries to hide co>ly monitored as other Internet Protocols such as TCP or UDP 
>mmunications.>and may be used by adversaries to hide communications.
", "changelog_mitigations": { "shared": [ "M1030: Network Segmentation", "M1031: Network Intrusion Prevention", "M1037: Filter Network Traffic", "T1095: Standard Non-Application Layer Protocol Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-05 14:04:25.865000+00:00", "modified": "2020-09-17 18:25:33.828000+00:00", "name": "Binary Padding", "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1027/001", "external_id": "T1027.001" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/572.html", "external_id": "CAPEC-572" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/655.html", "external_id": "CAPEC-655" }, { "source_name": "ESET OceanLotus", "description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.", "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" }, { "source_name": "Securelist Malware Tricks April 2017", "description": "Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.", "url": "https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/" }, { "source_name": "VirusTotal FAQ", "description": "VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.", "url": "https://www.virustotal.com/en/faq/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Martin Jirkal, ESET" ], "x_mitre_data_sources": [ "Process monitoring", "Binary file metadata", "File monitoring", "Malware reverse engineering" ], "x_mitre_defense_bypassed": [ "Anti-virus", "Signature-based detection" ], "x_mitre_detection": "Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool. When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. ", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][2]['external_id']\": \"CAPEC-655\"}, \"dictionary_item_removed\": {\"root['external_references'][2]['description']\": \"Folt\\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-17 18:25:33.828000+00:00\", \"old_value\": \"2020-06-20 20:50:48.023000+00:00\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"ESET OceanLotus\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/655.html\", \"old_value\": \"https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"ESET OceanLotus\", \"old_value\": \"Securelist Malware Tricks April 2017\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Folt\\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.\", \"old_value\": \"Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/\", \"old_value\": \"https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Securelist Malware Tricks April 2017\", \"old_value\": \"VirusTotal FAQ\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.\", \"old_value\": \"VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/\", \"old_value\": \"https://www.virustotal.com/en/faq/ \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"VirusTotal FAQ\", \"description\": \"VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.\", \"url\": \"https://www.virustotal.com/en/faq/\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-05 14:28:16.719000+00:00", "modified": "2020-09-16 19:24:20.350000+00:00", "name": "Steganography", "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a threat group used\u202fInvoke-PSImage\u202fto hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1027/003", "external_id": "T1027.003" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/636.html", "external_id": "CAPEC-636" }, { "source_name": "Wikipedia Duqu", "description": "Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.", "url": "https://en.wikipedia.org/wiki/Duqu" }, { "source_name": "McAfee Malicious Doc Targets Pyeongchang Olympics", "description": "Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.", "url": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Binary file metadata" ], "x_mitre_detection": "Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings are other signatures left in system artifacts related to decoding steganography.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-636\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:24:20.350000+00:00\", \"old_value\": \"2020-06-08 18:16:48.253000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Wikipedia Duqu\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/636.html\", \"old_value\": \"https://en.wikipedia.org/wiki/Duqu\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Wikipedia Duqu\", \"old_value\": \"McAfee Malicious Doc Targets Pyeongchang Olympics\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.\", \"old_value\": \"Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://en.wikipedia.org/wiki/Duqu\", \"old_value\": \"https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"McAfee Malicious Doc Targets Pyeongchang Olympics\", \"description\": \"Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.\", \"url\": \"https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18 17:59:24.739000+00:00", "modified": "2020-09-29 14:48:07.227000+00:00", "name": "Password Policy Discovery", "description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1201", "external_id": "T1201" }, { "source_name": "Superuser Linux Password Policies", "description": "Matutiae, M. (2014, August 6). How to display password policy information for a user (Ubuntu)?. Retrieved April 5, 2018.", "url": "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu" }, { "source_name": "Jamf User Password Policies", "description": "Holland, J. (2016, January 25). User password policies on non AD machines. Retrieved April 5, 2018.", "url": "https://www.jamf.com/jamf-nation/discussions/18574/user-password-policies-on-non-ad-machines" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Sudhanshu Chauhan, @Sudhanshu_C" ], "x_mitre_data_sources": [ "Process command-line parameters", "Process monitoring" ], "x_mitre_detection": "Monitor processes for tools and command line arguments that may indicate they're being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Windows", "Linux", "macOS" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-29 14:48:07.227000+00:00\", \"old_value\": \"2020-03-26 17:17:42.457000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\\n\\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)\", \"old_value\": \"Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\\n\\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\\n \\n-Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)\\n+Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may attempt to access detailed information aboutt1Adversaries may attempt to access detailed information about
> the password policy used within an enterprise network. Pass> the password policy used within an enterprise network. Pass
>word policies for networks are a way to enforce complex pass>word policies for networks are a way to enforce complex pass
>words that are difficult to guess or crack through [Brute Fo>words that are difficult to guess or crack through [Brute Fo
>rce](https://attack.mitre.org/techniques/T1110). This would >rce](https://attack.mitre.org/techniques/T1110). This would 
>help the adversary to create a list of common passwords and >help the adversary to create a list of common passwords and 
>launch dictionary and/or brute force attacks which adheres t>launch dictionary and/or brute force attacks which adheres t
>o the policy (e.g. if the minimum password length should be >o the policy (e.g. if the minimum password length should be 
>8, then not trying passwords such as 'pass123'; not checking>8, then not trying passwords such as 'pass123'; not checking
> for more than 3-4 passwords per account if the lockout is s> for more than 3-4 passwords per account if the lockout is s
>et to 6 as to not lock out accounts).  Password policies can>et to 6 as to not lock out accounts).  Password policies can
> be set and discovered on Windows, Linux, and macOS systems > be set and discovered on Windows, Linux, and macOS systems 
>via various command shell utilities such as <code>net accoun>via various command shell utilities such as <code>net accoun
>ts (/domain)</code>, <code>chage -l <username></code>, <code>ts (/domain)</code>, <code>Get-ADDefaultDomainPasswordPolicy
>>cat /etc/pam.d/common-password</code>, and <code>pwpolicy g></code>, <code>chage -l <username></code>, <code>cat /etc/pa
>etaccountpolicies</code>.(Citation: Superuser Linux Password>m.d/common-password</code>, and <code>pwpolicy getaccountpol
> Policies) (Citation: Jamf User Password Policies)>icies</code>.(Citation: Superuser Linux Password Policies) (
 >Citation: Jamf User Password Policies)
", "changelog_mitigations": { "shared": [ "M1027: Password Policies", "T1201: Password Policy Discovery Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:30:55.471000+00:00", "modified": "2020-10-08 17:36:01.675000+00:00", "name": "Permission Groups Discovery", "description": "Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1069", "external_id": "T1069" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/576.html", "external_id": "CAPEC-576" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Microsoft Threat Intelligence Center (MSTIC)" ], "x_mitre_data_sources": [ "Stackdriver logs", "GCP audit logs", "AWS CloudTrail logs", "Azure activity logs", "Office 365 account logs", "API monitoring", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Office 365", "Azure AD", "AWS", "GCP", "Azure", "SaaS" ], "x_mitre_version": "2.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-08 17:36:01.675000+00:00\", \"old_value\": \"2020-03-26 17:48:28.002000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Stackdriver logs\", \"root['x_mitre_data_sources'][1]\": \"GCP audit logs\", \"root['x_mitre_data_sources'][2]\": \"AWS CloudTrail logs\"}}", "previous_version": "2.1", "version_change": "2.1 \u2192 2.2", "changelog_mitigations": { "shared": [ "T1069: Permission Groups Discovery Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-21 21:15:33.222000+00:00", "modified": "2020-10-08 17:34:39.077000+00:00", "name": "Cloud Groups", "description": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\n\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.(Citation: Microsoft Msolrole)(Citation: GitHub Raindance)\n\nAzure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command az ad user get-member-groups will list groups associated to a user account.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1069/003", "external_id": "T1069.003" }, { "source_name": "Microsoft Msolrole", "description": "Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019.", "url": "https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0" }, { "source_name": "GitHub Raindance", "description": "Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.", "url": "https://github.com/True-Demon/raindance" }, { "source_name": "Microsoft AZ CLI", "description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.", "url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest" }, { "source_name": "Black Hills Red Teaming MS AD Azure, 2018", "description": "Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.", "url": "https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "GCP audit logs", "Stackdriver logs", "AWS CloudTrail logs", "Azure activity logs", "Office 365 account logs", "API monitoring", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Office 365", "Azure AD", "GCP", "SaaS", "Azure", "AWS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-08 17:34:39.077000+00:00\", \"old_value\": \"2020-03-12 19:25:12.782000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"GCP audit logs\", \"root['x_mitre_data_sources'][1]\": \"Stackdriver logs\", \"root['x_mitre_data_sources'][2]\": \"AWS CloudTrail logs\", \"root['x_mitre_platforms'][2]\": \"GCP\", \"root['x_mitre_platforms'][3]\": \"SaaS\", \"root['x_mitre_platforms'][4]\": \"Azure\", \"root['x_mitre_platforms'][5]\": \"AWS\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-11-13 14:44:49.439000+00:00", "modified": "2020-10-22 16:35:54.740000+00:00", "name": "Pre-OS Boot", "description": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)\n\nAdversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1542", "external_id": "T1542" }, { "source_name": "Wikipedia Booting", "description": "Wikipedia. (n.d.). Booting. Retrieved November 13, 2019.", "url": "https://en.wikipedia.org/wiki/Booting" }, { "source_name": "ITWorld Hard Disk Health Dec 2014", "description": "Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved October 2, 2018.", "url": "https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "VBR", "MBR", "Component firmware", "Process monitoring", "Disk forensics", "EFI", "BIOS", "API monitoring" ], "x_mitre_defense_bypassed": [ "Anti-virus", "Host intrusion prevention systems", "File monitoring" ], "x_mitre_detection": "Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.\n\nDisk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "Administrator", "SYSTEM" ], "x_mitre_platforms": [ "Linux", "Windows", "Network" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-22 16:35:54.740000+00:00\", \"old_value\": \"2020-05-19 21:22:38.174000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][2]\": \"Network\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1026: Privileged Account Management", "M1046: Boot Integrity", "M1051: Update Software" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-12-19 21:05:38.123000+00:00", "modified": "2020-09-17 19:47:14.338000+00:00", "name": "Bootkit", "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)\n\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1542/003", "external_id": "T1542.003" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/552.html", "external_id": "CAPEC-552" }, { "source_name": "Mandiant M Trends 2016", "description": "Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019.", "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf" }, { "source_name": "Lau 2011", "description": "Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.", "url": "http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "VBR", "MBR", "API monitoring" ], "x_mitre_defense_bypassed": [ "Host intrusion prevention systems", "Anti-virus", "File monitoring" ], "x_mitre_detection": "Perform integrity checking on MBR and VBR. Take snapshots of MBR and VBR and compare against known good samples. Report changes to MBR and VBR as they occur for indicators of suspicious activity and further analysis.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "SYSTEM" ], "x_mitre_platforms": [ "Linux", "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-552\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-17 19:47:14.338000+00:00\", \"old_value\": \"2020-05-07 22:32:05.335000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Mandiant M Trends 2016\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/552.html\", \"old_value\": \"https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Mandiant M Trends 2016\", \"old_value\": \"Lau 2011\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019.\", \"old_value\": \"Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf\", \"old_value\": \"http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Lau 2011\", \"description\": \"Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.\", \"url\": \"http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1026: Privileged Account Management", "M1046: Boot Integrity", "T1067: Bootkit Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:08.479000+00:00", "modified": "2020-10-21 17:54:28.531000+00:00", "name": "Proxy", "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1090", "external_id": "T1090" }, { "source_name": "Trend Micro APT Attack Tools", "description": "Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/" }, { "source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Brian Prange", "Heather Linn", "Walker Johnson" ], "x_mitre_data_sources": [ "SSL/TLS inspection", "Process use of network", "Process monitoring", "Netflow/Enclave netflow", "Packet capture" ], "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nConsider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)).", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Network" ], "x_mitre_version": "3.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 17:54:28.531000+00:00\", \"old_value\": \"2020-06-20 20:53:20.670000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.1\", \"old_value\": \"3.0\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][3]\": \"Network\"}}", "previous_version": "3.0", "version_change": "3.0 \u2192 3.1", "changelog_mitigations": { "shared": [ "M1020: SSL/TLS Inspection", "M1031: Network Intrusion Prevention", "M1037: Filter Network Traffic" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-14 23:29:19.581000+00:00", "modified": "2020-09-16 19:30:54.226000+00:00", "name": "Domain Fronting", "description": "Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).\n\nFor example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1090/004", "external_id": "T1090.004" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/481.html", "external_id": "CAPEC-481" }, { "source_name": "Fifield Blocking Resistent Communication through domain fronting 2015", "description": "David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017.", "url": "http://www.icir.org/vern/papers/meek-PETS-2015.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Matt Kelly, @breakersall" ], "x_mitre_data_sources": [ "SSL/TLS inspection", "Packet capture" ], "x_mitre_detection": "If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it matches the HTTPS SNI or against a blocklist or allowlist of domain names. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015)", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-481\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:30:54.226000+00:00\", \"old_value\": \"2020-06-20 20:53:20.398000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Fifield Blocking Resistent Communication through domain fronting 2015\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/481.html\", \"old_value\": \"http://www.icir.org/vern/papers/meek-PETS-2015.pdf\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Fifield Blocking Resistent Communication through domain fronting 2015\", \"description\": \"David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017.\", \"url\": \"http://www.icir.org/vern/papers/meek-PETS-2015.pdf\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1020: SSL/TLS Inspection" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-12-13 16:46:18.927000+00:00", "modified": "2020-09-16 19:34:19.752000+00:00", "name": "Web Shell", "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.\n\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1505/003", "external_id": "T1505.003" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/650.html", "external_id": "CAPEC-650" }, { "source_name": "Lee 2013", "description": "Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.", "url": "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" }, { "source_name": "US-CERT Alert TA15-314A Web Shells", "description": "US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.", "url": "https://www.us-cert.gov/ncas/alerts/TA15-314A" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Process monitoring", "Netflow/Enclave netflow", "File monitoring", "Authentication logs" ], "x_mitre_detection": "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>\n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running cmd.exe or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) ", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "SYSTEM", "User" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_system_requirements": [ "Adversary access to Web server with vulnerability or account to upload and serve the Web shell file." ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-650\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:34:19.752000+00:00\", \"old_value\": \"2020-04-17 17:47:56.673000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Lee 2013\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/650.html\", \"old_value\": \"https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Lee 2013\", \"old_value\": \"US-CERT Alert TA15-314A Web Shells\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.\", \"old_value\": \"US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\", \"old_value\": \"https://www.us-cert.gov/ncas/alerts/TA15-314A\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"US-CERT Alert TA15-314A Web Shells\", \"description\": \"US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.\", \"url\": \"https://www.us-cert.gov/ncas/alerts/TA15-314A\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-29 19:00:55.901000+00:00", "modified": "2020-07-24 15:36:08.042000+00:00", "name": "Service Stop", "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1489", "external_id": "T1489" }, { "source_name": "Talos Olympic Destroyer 2018", "description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.", "url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" }, { "source_name": "Novetta Blockbuster", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.", "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" }, { "source_name": "SecureWorks WannaCry Analysis", "description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.", "url": "https://www.secureworks.com/research/wcry-ransomware-analysis" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring", "Process command-line parameters", "Process monitoring", "Windows Registry", "API monitoring" ], "x_mitre_detection": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running.\n\nMonitor for edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to services that do not correlate with known software, patch cycles, etc. Windows service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Systemd service unit files are stored within the /etc/systemd/system, /usr/lib/systemd/system/, and /home/.config/systemd/user/ directories, as well as associated symbolic links.\n\nAlterations to the service binary path or the service startup type changed to disabled may be suspicious.\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)", "x_mitre_impact_type": [ "Availability" ], "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "Administrator", "SYSTEM", "User" ], "x_mitre_platforms": [ "Windows", "Linux", "macOS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-07-24 15:36:08.042000+00:00\", \"old_value\": \"2020-07-14 19:34:47.636000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor processes and command-line arguments to see if critical processes are terminated or stop running.\\n\\nMonitor for edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to services that do not correlate with known software, patch cycles, etc. Windows service information is stored in the Registry at HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services. Systemd service unit files are stored within the /etc/systemd/system, /usr/lib/systemd/system/, and /home/.config/systemd/user/ directories, as well as associated symbolic links.\\n\\nAlterations to the service binary path or the service startup type changed to disabled may be suspicious.\\n\\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)\", \"old_value\": \"Monitor processes and command-line arguments to see if critical processes are terminated or stop running.\\n\\nMonitor Registry edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services.\\n\\nAlterations to the service binary path or the service startup type changed to disabled may be suspicious.\\n\\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,6 @@\\n Monitor processes and command-line arguments to see if critical processes are terminated or stop running.\\n \\n-Monitor Registry edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services.\\n+Monitor for edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to services that do not correlate with known software, patch cycles, etc. Windows service information is stored in the Registry at HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services. Systemd service unit files are stored within the /etc/systemd/system, /usr/lib/systemd/system/, and /home/.config/systemd/user/ directories, as well as associated symbolic links.\\n \\n Alterations to the service binary path or the service startup type changed to disabled may be suspicious.\\n \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"File monitoring\", \"root['x_mitre_platforms'][1]\": \"Linux\", \"root['x_mitre_platforms'][2]\": \"macOS\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1022: Restrict File and Directory Permissions", "M1024: Restrict Registry Permissions", "M1030: Network Segmentation", "T1489: Service Stop Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-23 19:59:52.630000+00:00", "modified": "2020-10-21 18:37:11.672000+00:00", "name": "Control Panel", "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\n\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\n\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1218/002", "external_id": "T1218.002" }, { "source_name": "Microsoft Implementing CPL", "description": "M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018.", "url": "https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx" }, { "source_name": "TrendMicro CPL Malware Jan 2014", "description": "Merc\u00eas, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018.", "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" }, { "source_name": "TrendMicro CPL Malware Dec 2013", "description": "Bernardino, J. (2013, December 17). Control Panel Files Used As Malicious Attachments. Retrieved January 18, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/" }, { "source_name": "Palo Alto Reaver Nov 2017", "description": "Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" }, { "source_name": "ESET InvisiMole June 2020", "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "ESET" ], "x_mitre_data_sources": [ "Process monitoring", "Process command-line parameters", "Windows Registry", "DLL monitoring", "Binary file metadata", "API monitoring" ], "x_mitre_defense_bypassed": [ "Application control" ], "x_mitre_detection": "Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)\n\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\n\n* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace and HKEY_CLASSES_ROOT\\CLSID\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\n* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\"c:\\windows\\system32\\control.exe {Canonical_Name}\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)\n* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder\\{name}\\Shellex\\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)\n\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"ESET\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 18:37:11.672000+00:00\", \"old_value\": \"2020-06-20 22:33:18.929000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\\n\\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\\n\\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\\n\\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Control Panel\\\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)\", \"old_value\": \"Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)\\n\\nFor ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)\\n\\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n-Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)\\n+Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\\n \\n-For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)\\n+Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\\n \\n-Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\\n+Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\\n+\\n+Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Control Panel\\\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)\\n\\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\\n\\n* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\ControlPanel\\\\NameSpace and HKEY_CLASSES_ROOT\\\\CLSID\\\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\\n* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\\\"c:\\\\windows\\\\system32\\\\control.exe {Canonical_Name}\\\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)\\n* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Controls Folder\\\\{name}\\\\Shellex\\\\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)\\n\\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)\", \"old_value\": \"Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe. (Citation: TrendMicro CPL Malware Jan 2014)\\n\\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\\n\\n* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\ControlPanel\\\\NameSpace and HKEY_CLASSES_ROOT\\\\CLSID\\\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\\n* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the Cpls and Extended Properties Registry keys of HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\\\"c:\\\\windows\\\\system32\\\\control.exe {Canonical_Name}\\\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}). (Citation: Microsoft Implementing CPL)\\n* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Controls Folder\\\\{name}\\\\Shellex\\\\PropertySheetHandlers where {name} is the predefined name of the system item. (Citation: Microsoft Implementing CPL)\\n\\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques. (Citation: TrendMicro CPL Malware Jan 2014)\", \"diff\": \"--- \\n+++ \\n@@ -1,9 +1,9 @@\\n-Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe. (Citation: TrendMicro CPL Malware Jan 2014)\\n+Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)\\n \\n Inventory Control Panel items to locate unregistered and potentially malicious files present on systems:\\n \\n * Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\ControlPanel\\\\NameSpace and HKEY_CLASSES_ROOT\\\\CLSID\\\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\\n-* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the Cpls and Extended Properties Registry keys of HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\\\"c:\\\\windows\\\\system32\\\\control.exe {Canonical_Name}\\\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}). (Citation: Microsoft Implementing CPL)\\n-* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Controls Folder\\\\{name}\\\\Shellex\\\\PropertySheetHandlers where {name} is the predefined name of the system item. (Citation: Microsoft Implementing CPL)\\n+* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\\\"c:\\\\windows\\\\system32\\\\control.exe {Canonical_Name}\\\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)\\n+* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Controls Folder\\\\{name}\\\\Shellex\\\\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)\\n \\n-Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques. (Citation: TrendMicro CPL Malware Jan 2014)\\n+Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"ESET InvisiMole June 2020\", \"description\": \"Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.\", \"url\": \"https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may abuse control.exe to proxy execution of malit1Adversaries may abuse control.exe to proxy execution of mali
>cious payloads. The Windows Control Panel process binary (co>cious payloads. The Windows Control Panel process binary (co
>ntrol.exe) handles execution of Control Panel items, which a>ntrol.exe) handles execution of Control Panel items, which a
>re utilities that allow users to view and adjust computer se>re utilities that allow users to view and adjust computer se
>ttings. Control Panel items are registered executable (.exe)>ttings.  Control Panel items are registered executable (.exe
> or Control Panel (.cpl) files, the latter are actually rena>) or Control Panel (.cpl) files, the latter are actually ren
>med dynamic-link library (.dll) files that export a <code>CP>amed dynamic-link library (.dll) files that export a <code>C
>lApplet</code> function. (Citation: Microsoft Implementing C>PlApplet</code> function.(Citation: Microsoft Implementing C
>PL) (Citation: TrendMicro CPL Malware Jan 2014) Control Pane>PL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of u
>l items can be executed directly from the command line, prog>se, Control Panel items typically include graphical menus av
>rammatically via an application programming interface (API) >ailable to users after being registered and loaded into the 
>call, or by simply double-clicking the file. (Citation: Micr>Control Panel.(Citation: Microsoft Implementing CPL) Control
>osoft Implementing CPL) (Citation: TrendMicro CPL Malware Ja> Panel items can be executed directly from the command line,
>n 2014) (Citation: TrendMicro CPL Malware Dec 2013)  For eas> programmatically via an application programming interface (
>e of use, Control Panel items typically include graphical me>API) call, or by simply double-clicking the file.(Citation: 
>nus available to users after being registered and loaded int>Microsoft Implementing CPL) (Citation: TrendMicro CPL Malwar
>o the Control Panel. (Citation: Microsoft Implementing CPL) >e Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)  Mali
> Malicious Control Panel items can be delivered via [Phishin>cious Control Panel items can be delivered via [Phishing](ht
>g](https://attack.mitre.org/techniques/T1566) campaigns (Cit>tps://attack.mitre.org/techniques/T1566) campaigns(Citation:
>ation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicr> TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL M
>o CPL Malware Dec 2013) or executed as part of multi-stage m>alware Dec 2013) or executed as part of multi-stage malware.
>alware. (Citation: Palo Alto Reaver Nov 2017) Control Panel >(Citation: Palo Alto Reaver Nov 2017) Control Panel items, s
>items, specifically CPL files, may also bypass application a>pecifically CPL files, may also bypass application and/or fi
>nd/or file extension allow lists.>le extension allow lists.  Adversaries may also rename malic
 >ious DLL files (.dll) with Control Panel file extensions (.c
 >pl) and register them to <code>HKCU\\Software\\Microsoft\\Windo
 >ws\\CurrentVersion\\Control Panel\\Cpls</code>. Even when these
 > registered DLLs do not comply with the CPL file specificati
 >on and do not export <code>CPlApplet</code> functions, they 
 >are loaded and executed through its <code>DllEntryPoint</cod
 >e> when Control Panel is executed. CPL files not exporting <
 >code>CPlApplet</code> are not directly executable.(Citation:
 > ESET InvisiMole June 2020)
", "changelog_mitigations": { "shared": [ "M1022: Restrict File and Directory Permissions", "M1038: Execution Prevention" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:30:57.201000+00:00", "modified": "2020-09-16 15:27:01.403000+00:00", "name": "Software Deployment Tools", "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.).\n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1072", "external_id": "T1072" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/187.html", "external_id": "CAPEC-187" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Shane Tully, @securitygypsy" ], "x_mitre_data_sources": [ "Authentication logs", "File monitoring", "Third-party application logs", "Windows Registry", "Process monitoring", "Process use of network", "Binary file metadata" ], "x_mitre_detection": "Detection methods will vary depending on the type of third-party software or system and how it is typically used. \n\nThe same investigation process can be applied here as with other potentially malicious activities where the distribution vector is initially unknown but the resulting activity follows a discernible pattern. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. \n\nOften these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.\n\nPerform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_remote_support": true, "x_mitre_version": "2.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 15:27:01.403000+00:00\", \"old_value\": \"2020-02-21 16:31:32.789000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"capec\", \"url\": \"https://capec.mitre.org/data/definitions/187.html\", \"external_id\": \"CAPEC-187\"}}}", "previous_version": "2.0", "version_change": "2.0 \u2192 2.1", "changelog_mitigations": { "shared": [ "M1015: Active Directory Configuration", "M1017: User Training", "M1018: User Account Management", "M1026: Privileged Account Management", "M1027: Password Policies", "M1029: Remote Data Storage", "M1030: Network Segmentation", "M1032: Multi-factor Authentication", "M1051: Update Software", "T1072: Third-party Software Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-09-16 17:52:44.147000+00:00", "modified": "2020-09-16 19:36:17.133000+00:00", "name": "Software Discovery", "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1518", "external_id": "T1518" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/580.html", "external_id": "CAPEC-580" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Stackdriver logs", "Azure activity logs", "AWS CloudTrail logs", "Process command-line parameters", "Process monitoring", "File monitoring" ], "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User", "Administrator" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure", "Office 365", "Azure AD", "SaaS" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:36:17.133000+00:00\", \"old_value\": \"2020-06-29 19:34:39.136000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"capec\", \"url\": \"https://capec.mitre.org/data/definitions/580.html\", \"external_id\": \"CAPEC-580\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-21 21:16:18.066000+00:00", "modified": "2020-09-16 19:36:16.978000+00:00", "name": "Security Software Discovery", "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\n\nAdversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1518/001", "external_id": "T1518.001" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/581.html", "external_id": "CAPEC-581" }, { "source_name": "Expel IO Evil in AWS", "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.", "url": "https://expel.io/blog/finding-evil-in-aws/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Stackdriver logs", "Azure activity logs", "AWS CloudTrail logs", "File monitoring", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure", "Office 365", "Azure AD", "SaaS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-581\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:36:16.978000+00:00\", \"old_value\": \"2020-06-29 17:32:24.787000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Expel IO Evil in AWS\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/581.html\", \"old_value\": \"https://expel.io/blog/finding-evil-in-aws/\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Expel IO Evil in AWS\", \"description\": \"A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.\", \"url\": \"https://expel.io/blog/finding-evil-in-aws/\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--3fc01293-ef5e-41c6-86ce-61f10706b64a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-11 19:12:46.830000+00:00", "modified": "2020-09-29 16:16:06.868000+00:00", "name": "Steal or Forge Kerberos Tickets", "description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). \n\nKerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as \u201crealms\u201d, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1558", "external_id": "T1558" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/652.html", "external_id": "CAPEC-652" }, { "source_name": "ADSecurity Kerberos Ring Decoder", "description": "Sean Metcalf. (2014, September 12). Kerberos, Active Directory\u2019s Secret Decoder Ring. Retrieved February 27, 2020.", "url": "https://adsecurity.org/?p=227" }, { "source_name": "ADSecurity Detecting Forged Tickets", "description": "Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.", "url": "https://adsecurity.org/?p=1515" }, { "source_name": "Stealthbits Detect PtT 2019", "description": "Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.", "url": "https://blog.stealthbits.com/detect-pass-the-ticket-attacks" }, { "source_name": "CERT-EU Golden Ticket Protection", "description": "Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.", "url": "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf" }, { "source_name": "Microsoft Kerberos Golden Ticket", "description": "Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.", "url": "https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285" }, { "source_name": "Microsoft Detecting Kerberoasting Feb 2018", "description": "Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.", "url": "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/" }, { "source_name": "AdSecurity Cracking Kerberos Dec 2015", "description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.", "url": "https://adsecurity.org/?p=2293" }, { "source_name": "Medium Detecting Attempts to Steal Passwords from Memory", "description": "French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.", "url": "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Windows event logs", "Authentication logs" ], "x_mitre_detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.(Citation: ADSecurity Detecting Forged Tickets)(Citation: Stealthbits Detect PtT 2019)(Citation: CERT-EU Golden Ticket Protection)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n\nEnable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Windows" ], "x_mitre_system_requirements": [ "Kerberos authentication enabled" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-652\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Sean Metcalf. (2014, September 12). Kerberos, Active Directory\\u2019s Secret Decoder Ring. Retrieved February 27, 2020.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-29 16:16:06.868000+00:00\", \"old_value\": \"2020-03-31 12:59:11.121000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"ADSecurity Kerberos Ring Decoder\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/652.html\", \"old_value\": \"https://adsecurity.org/?p=227\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"ADSecurity Kerberos Ring Decoder\", \"old_value\": \"ADSecurity Detecting Forged Tickets\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Sean Metcalf. (2014, September 12). Kerberos, Active Directory\\u2019s Secret Decoder Ring. Retrieved February 27, 2020.\", \"old_value\": \"Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://adsecurity.org/?p=227\", \"old_value\": \"https://adsecurity.org/?p=1515\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"ADSecurity Detecting Forged Tickets\", \"old_value\": \"Stealthbits Detect PtT 2019\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.\", \"old_value\": \"Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://adsecurity.org/?p=1515\", \"old_value\": \"https://blog.stealthbits.com/detect-pass-the-ticket-attacks\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Stealthbits Detect PtT 2019\", \"old_value\": \"CERT-EU Golden Ticket Protection\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.\", \"old_value\": \"Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://blog.stealthbits.com/detect-pass-the-ticket-attacks\", \"old_value\": \"https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"CERT-EU Golden Ticket Protection\", \"old_value\": \"Microsoft Kerberos Golden Ticket\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.\", \"old_value\": \"Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf\", \"old_value\": \"https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285\"}, \"root['external_references'][6]['source_name']\": {\"new_value\": \"Microsoft Kerberos Golden Ticket\", \"old_value\": \"Microsoft Detecting Kerberoasting Feb 2018\"}, \"root['external_references'][6]['description']\": {\"new_value\": \"Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.\", \"old_value\": \"Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.\"}, \"root['external_references'][6]['url']\": {\"new_value\": \"https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285\", \"old_value\": \"https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\"}, \"root['external_references'][7]['source_name']\": {\"new_value\": \"Microsoft Detecting Kerberoasting Feb 2018\", \"old_value\": \"AdSecurity Cracking Kerberos Dec 2015\"}, \"root['external_references'][7]['description']\": {\"new_value\": \"Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.\", \"old_value\": \"Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \\u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.\"}, \"root['external_references'][7]['url']\": {\"new_value\": \"https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\", \"old_value\": \"https://adsecurity.org/?p=2293\"}, \"root['external_references'][8]['source_name']\": {\"new_value\": \"AdSecurity Cracking Kerberos Dec 2015\", \"old_value\": \"Medium Detecting Attempts to Steal Passwords from Memory\"}, \"root['external_references'][8]['description']\": {\"new_value\": \"Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \\u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.\", \"old_value\": \"French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.\"}, \"root['external_references'][8]['url']\": {\"new_value\": \"https://adsecurity.org/?p=2293\", \"old_value\": \"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][9]\": {\"source_name\": \"Medium Detecting Attempts to Steal Passwords from Memory\", \"description\": \"French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.\", \"url\": \"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1015: Active Directory Configuration", "M1026: Privileged Account Management", "M1027: Password Policies", "M1041: Encrypt Sensitive Information" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-11 18:43:38.588000+00:00", "modified": "2020-10-20 19:30:10.687000+00:00", "name": "Kerberoasting", "description": "Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) \n\nService principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016)\n\nAdversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)\n\nThis same attack could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1558/003", "external_id": "T1558.003" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/509.html", "external_id": "CAPEC-509" }, { "source_name": "Empire InvokeKerberoast Oct 2016", "description": "EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018.", "url": "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1" }, { "source_name": "AdSecurity Cracking Kerberos Dec 2015", "description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.", "url": "https://adsecurity.org/?p=2293" }, { "source_name": "Microsoft Detecting Kerberoasting Feb 2018", "description": "Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.", "url": "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/" }, { "source_name": "Microsoft SPN", "description": "Microsoft. (n.d.). Service Principal Names. Retrieved March 22, 2018.", "url": "https://msdn.microsoft.com/library/ms677949.aspx" }, { "source_name": "Microsoft SetSPN", "description": "Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe). Retrieved March 22, 2018.", "url": "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx" }, { "source_name": "SANS Attacking Kerberos Nov 2014", "description": "Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.", "url": "https://redsiege.com/kerberoast-slides" }, { "source_name": "Harmj0y Kerberoast Nov 2016", "description": "Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018.", "url": "https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Praetorian" ], "x_mitre_data_sources": [ "Authentication logs", "Windows event logs" ], "x_mitre_detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: AdSecurity Cracking Kerberos Dec 2015)", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Windows" ], "x_mitre_system_requirements": [ "Valid domain account or the ability to sniff traffic within a domain" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-509\", \"root['external_references'][6]['url']\": \"https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-20 19:30:10.687000+00:00\", \"old_value\": \"2020-02-27 18:25:30.124000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Empire InvokeKerberoast Oct 2016\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/509.html\", \"old_value\": \"https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Empire InvokeKerberoast Oct 2016\", \"old_value\": \"AdSecurity Cracking Kerberos Dec 2015\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018.\", \"old_value\": \"Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \\u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1\", \"old_value\": \"https://adsecurity.org/?p=2293\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"AdSecurity Cracking Kerberos Dec 2015\", \"old_value\": \"Microsoft Detecting Kerberoasting Feb 2018\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \\u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.\", \"old_value\": \"Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://adsecurity.org/?p=2293\", \"old_value\": \"https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Microsoft Detecting Kerberoasting Feb 2018\", \"old_value\": \"Microsoft SPN\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.\", \"old_value\": \"Microsoft. (n.d.). Service Principal Names. Retrieved March 22, 2018.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\", \"old_value\": \"https://msdn.microsoft.com/library/ms677949.aspx\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"Microsoft SPN\", \"old_value\": \"Microsoft SetSPN\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Microsoft. (n.d.). Service Principal Names. Retrieved March 22, 2018.\", \"old_value\": \"Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe). Retrieved March 22, 2018.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://msdn.microsoft.com/library/ms677949.aspx\", \"old_value\": \"https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx\"}, \"root['external_references'][6]['source_name']\": {\"new_value\": \"Microsoft SetSPN\", \"old_value\": \"SANS Attacking Kerberos Nov 2014\"}, \"root['external_references'][6]['description']\": {\"new_value\": \"Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe). Retrieved March 22, 2018.\", \"old_value\": \"Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.\"}, \"root['external_references'][7]['source_name']\": {\"new_value\": \"SANS Attacking Kerberos Nov 2014\", \"old_value\": \"Harmj0y Kerberoast Nov 2016\"}, \"root['external_references'][7]['description']\": {\"new_value\": \"Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.\", \"old_value\": \"Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018.\"}, \"root['external_references'][7]['url']\": {\"new_value\": \"https://redsiege.com/kerberoast-slides\", \"old_value\": \"https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][8]\": {\"source_name\": \"Harmj0y Kerberoast Nov 2016\", \"description\": \"Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018.\", \"url\": \"https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1026: Privileged Account Management", "M1027: Password Policies", "M1041: Encrypt Sensitive Information" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18 17:59:24.739000+00:00", "modified": "2020-10-21 15:30:44.964000+00:00", "name": "Traffic Signaling", "description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\n\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\n\nOn network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1205", "external_id": "T1205" }, { "source_name": "Hartrell cd00r 2002", "description": "Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.", "url": "https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631" }, { "source_name": "Cisco Synful Knock Evolution", "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" }, { "source_name": "FireEye - Synful Knock", "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Josh Day, Gigamon" ], "x_mitre_data_sources": [ "Packet capture", "Netflow/Enclave netflow" ], "x_mitre_defense_bypassed": [ "Defensive network service scanning" ], "x_mitre_detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.", "x_mitre_is_subtechnique": false, "x_mitre_network_requirements": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Network" ], "x_mitre_version": "2.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 15:30:44.964000+00:00\", \"old_value\": \"2020-07-01 18:27:41.755000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\\n\\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\\n\\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\\n\\nOn network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.\", \"old_value\": \"Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\\n\\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\\n\\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\", \"diff\": \"--- \\n+++ \\n@@ -3,3 +3,5 @@\\n Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\\n \\n The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\\n+\\n+On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Cisco Synful Knock Evolution\", \"description\": \"Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.\", \"url\": \"https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices\"}, \"root['external_references'][3]\": {\"source_name\": \"FireEye - Synful Knock\", \"description\": \"Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.\", \"url\": \"https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html\"}, \"root['external_references'][4]\": {\"source_name\": \"Cisco Blog Legacy Device Attacks\", \"description\": \"Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.\", \"url\": \"https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954\"}, \"root['x_mitre_platforms'][3]\": \"Network\"}}", "previous_version": "2.0", "version_change": "2.0 \u2192 2.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may use traffic signaling to hide open ports or t1Adversaries may use traffic signaling to hide open ports or 
>other malicious functionality used for persistence or comman>other malicious functionality used for persistence or comman
>d and control. Traffic signaling involves the use of a magic>d and control. Traffic signaling involves the use of a magic
> value or sequence that must be sent to a system to trigger > value or sequence that must be sent to a system to trigger 
>a special response, such as opening a closed port or executi>a special response, such as opening a closed port or executi
>ng a malicious task. This may take the form of sending a ser>ng a malicious task. This may take the form of sending a ser
>ies of packets with certain characteristics before a port wi>ies of packets with certain characteristics before a port wi
>ll be opened that the adversary can use for command and cont>ll be opened that the adversary can use for command and cont
>rol. Usually this series of packets consists of attempted co>rol. Usually this series of packets consists of attempted co
>nnections to a predefined sequence of closed ports (i.e. [Po>nnections to a predefined sequence of closed ports (i.e. [Po
>rt Knocking](https://attack.mitre.org/techniques/T1205/001))>rt Knocking](https://attack.mitre.org/techniques/T1205/001))
>, but can involve unusual flags, specific strings, or other >, but can involve unusual flags, specific strings, or other 
>unique characteristics. After the sequence is completed, ope>unique characteristics. After the sequence is completed, ope
>ning a port may be accomplished by the host-based firewall, >ning a port may be accomplished by the host-based firewall, 
>but could also be implemented by custom software.  Adversari>but could also be implemented by custom software.  Adversari
>es may also communicate with an already open port, but the s>es may also communicate with an already open port, but the s
>ervice listening on that port will only respond to commands >ervice listening on that port will only respond to commands 
>or trigger other malicious functionality if passed the appro>or trigger other malicious functionality if passed the appro
>priate magic value(s).  The observation of the signal packet>priate magic value(s).  The observation of the signal packet
>s to trigger the communication can be conducted through diff>s to trigger the communication can be conducted through diff
>erent methods. One means, originally implemented by Cd00r (C>erent methods. One means, originally implemented by Cd00r (C
>itation: Hartrell cd00r 2002), is to use the libpcap librari>itation: Hartrell cd00r 2002), is to use the libpcap librari
>es to sniff for the packets in question. Another method leve>es to sniff for the packets in question. Another method leve
>rages raw sockets, which enables the malware to use ports th>rages raw sockets, which enables the malware to use ports th
>at are already open for use by other programs.>at are already open for use by other programs.  On network d
 >evices, adversaries may use crafted packets to enable [Netwo
 >rk Device Authentication](https://attack.mitre.org/technique
 >s/T1556/004) for standard services offered by the device suc
 >h as telnet.  Such signaling may also be used to open a clos
 >ed service port such as telnet, or to trigger module modific
 >ation of malware implants on the device, adding, removing, o
 >r changing malicious capabilities.(Citation: Cisco Synful Kn
 >ock Evolution) (Citation: FireEye - Synful Knock) (Citation:
 > Cisco Blog Legacy Device Attacks)  To enable this traffic s
 >ignaling on embedded devices, adversaries must first achieve
 > and leverage [Patch System Image](https://attack.mitre.org/
 >techniques/T1601/001) due to the monolithic nature of the ar
 >chitecture.
", "changelog_mitigations": { "shared": [ "M1037: Filter Network Traffic", "T1205: Port Knocking Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-01 18:23:25.002000+00:00", "modified": "2020-10-21 01:26:31.804000+00:00", "name": "Port Knocking", "description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\n\nThis technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1205/001", "external_id": "T1205.001" }, { "source_name": "Hartrell cd00r 2002", "description": "Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.", "url": "https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "Packet capture" ], "x_mitre_detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Network" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 01:26:31.804000+00:00\", \"old_value\": \"2020-07-01 18:23:25.002000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][3]\": \"Network\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1037: Filter Network Traffic" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-04 12:47:23.631000+00:00", "modified": "2020-10-15 19:39:36.109000+00:00", "name": "Unsecured Credentials", "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1552", "external_id": "T1552" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Azure activity logs", "Authentication logs", "AWS CloudTrail logs", "Windows event logs", "File monitoring", "Windows Registry", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.\n\nMonitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior.\n\nMonitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.\n\nAdditionally, monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure", "Office 365", "Azure AD", "SaaS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-15 19:39:36.109000+00:00\", \"old_value\": \"2020-06-17 14:25:38.461000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Azure activity logs\", \"root['x_mitre_data_sources'][1]\": \"Authentication logs\", \"root['x_mitre_data_sources'][2]\": \"AWS CloudTrail logs\", \"root['x_mitre_data_sources'][3]\": \"Windows event logs\"}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1015: Active Directory Configuration", "M1017: User Training", "M1022: Restrict File and Directory Permissions", "M1026: Privileged Account Management", "M1027: Password Policies", "M1028: Operating System Configuration", "M1037: Filter Network Traffic", "M1041: Encrypt Sensitive Information", "M1047: Audit", "M1051: Update Software" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--19bf235b-8620-4997-b5b4-94e0659ed7c3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-11 18:47:46.619000+00:00", "modified": "2020-10-15 19:39:34.817000+00:00", "name": "Cloud Instance Metadata API", "description": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\n\nMost cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)\n\nIf adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)\n\nThe de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.\n", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1552/005", "external_id": "T1552.005" }, { "source_name": "AWS Instance Metadata API", "description": "AWS. (n.d.). Instance Metadata and User Data. Retrieved July 18, 2019.", "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html" }, { "source_name": "Krebs Capital One August 2019", "description": "Krebs, B.. (2019, August 19). What We Can Learn from the Capital One Hack. Retrieved March 25, 2020.", "url": "https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/" }, { "source_name": "RedLock Instance Metadata API 2018", "description": "Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019.", "url": "https://redlock.io/blog/instance-metadata-api-a-modern-day-trojan-horse" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Praetorian" ], "x_mitre_data_sources": [ "Authentication logs", "AWS CloudTrail logs", "Azure activity logs" ], "x_mitre_detection": "Monitor access to the Instance Metadata API and look for anomalous queries.\n\nIt may be possible to detect adversary use of credentials they have obtained. See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.\n\n", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "AWS", "GCP", "Azure" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-15 19:39:34.817000+00:00\", \"old_value\": \"2020-03-25 18:18:20.366000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1037: Filter Network Traffic" ], "new": [ "M1042: Disable or Remove Feature or Program" ], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-30 17:37:22.261000+00:00", "modified": "2020-09-16 19:40:02.024000+00:00", "name": "Application Access Token", "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim\u2019s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1550/001", "external_id": "T1550.001" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/593.html", "external_id": "CAPEC-593" }, { "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019", "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.", "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/" }, { "source_name": "okta", "description": "okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.", "url": "https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen" }, { "source_name": "Microsoft Identity Platform Access 2019", "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" }, { "source_name": "Staaldraad Phishing with OAuth 2017", "description": "Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.", "url": "https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Shailesh Tiwary (Indian Army)", "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)", "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)", "Mark Wee" ], "x_mitre_data_sources": [ "Office 365 audit logs", "OAuth audit logs" ], "x_mitre_defense_bypassed": [ "System Access Controls" ], "x_mitre_detection": "Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Office 365", "SaaS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-593\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:40:02.024000+00:00\", \"old_value\": \"2020-03-23 20:24:52.899000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/593.html\", \"old_value\": \"https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019\", \"old_value\": \"okta\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.\", \"old_value\": \"okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/\", \"old_value\": \"https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"okta\", \"old_value\": \"Microsoft Identity Platform Access 2019\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.\", \"old_value\": \"Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen\", \"old_value\": \"https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Microsoft Identity Platform Access 2019\", \"old_value\": \"Staaldraad Phishing with OAuth 2017\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.\", \"old_value\": \"Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens\", \"old_value\": \"https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"Staaldraad Phishing with OAuth 2017\", \"description\": \"Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.\", \"url\": \"https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1021: Restrict Web-Based Content", "M1041: Encrypt Sensitive Information", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-30 17:48:49.395000+00:00", "modified": "2020-09-16 19:40:44.527000+00:00", "name": "Web Session Cookie", "description": "Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)\n\nAuthentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.\n\nThere have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1550/004", "external_id": "T1550.004" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/60.html", "external_id": "CAPEC-60" }, { "source_name": "Pass The Cookie", "description": "Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.", "url": "https://wunderwuzzi23.github.io/blog/passthecookie.html" }, { "source_name": "Unit 42 Mac Crypto Cookies January 2019", "description": "Chen, Y., Hu, W., Xu, Z., et. al.. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved October 14, 2019.", "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Johann Rehberger" ], "x_mitre_data_sources": [ "Office 365 audit logs", "Authentication logs" ], "x_mitre_defense_bypassed": [ "System Access Controls" ], "x_mitre_detection": "Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Office 365", "SaaS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-60\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:40:44.527000+00:00\", \"old_value\": \"2020-03-24 12:36:24.501000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Pass The Cookie\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/60.html\", \"old_value\": \"https://wunderwuzzi23.github.io/blog/passthecookie.html\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Pass The Cookie\", \"old_value\": \"Unit 42 Mac Crypto Cookies January 2019\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.\", \"old_value\": \"Chen, Y., Hu, W., Xu, Z., et. al.. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\\u2019 Cookies. Retrieved October 14, 2019.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://wunderwuzzi23.github.io/blog/passthecookie.html\", \"old_value\": \"https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Unit 42 Mac Crypto Cookies January 2019\", \"description\": \"Chen, Y., Hu, W., Xu, Z., et. al.. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\\u2019 Cookies. Retrieved October 14, 2019.\", \"url\": \"https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1054: Software Configuration" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-13 20:36:57.378000+00:00", "modified": "2020-10-19 16:01:22.090000+00:00", "name": "Cloud Accounts", "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1078/004", "external_id": "T1078.004" }, { "source_name": "AWS Identity Federation", "description": "Amazon. (n.d.). Identity Federation in AWS. Retrieved March 13, 2020.", "url": "https://aws.amazon.com/identity/federation/" }, { "source_name": "Google Federating GC", "description": "Google. (n.d.). Federating Google Cloud with Active Directory. Retrieved March 13, 2020.", "url": "https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction" }, { "source_name": "Microsoft Deploying AD Federation", "description": "Microsoft. (n.d.). Deploying Active Directory Federation Services in Azure. Retrieved March 13, 2020.", "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Azure activity logs", "Authentication logs", "AWS CloudTrail logs", "Stackdriver logs" ], "x_mitre_detection": "Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User", "Administrator" ], "x_mitre_platforms": [ "AWS", "GCP", "Azure", "SaaS", "Azure AD", "Office 365" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-19 16:01:22.090000+00:00\", \"old_value\": \"2020-03-23 21:59:36.729000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\\n\\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.\", \"old_value\": \"Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\\n\\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\\n+Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\\n \\n Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours.\", \"old_value\": \"Perform regular audits of cloud accounts to detect abnormal or malicious activity, such as accessing information outside of the normal function of the account or account usage at atypical hours.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may obtain and abuse credentials of a cloud accot1Adversaries may obtain and abuse credentials of a cloud acco
>unt as a means of gaining Initial Access, Persistence, Privi>unt as a means of gaining Initial Access, Persistence, Privi
>lege Escalation, or Defense Evasion. Cloud accounts are thos>lege Escalation, or Defense Evasion. Cloud accounts are thos
>e created and configured by an organization for use by users>e created and configured by an organization for use by users
>, remote support, services, or for administration of resourc>, remote support, services, or for administration of resourc
>es within a cloud service provider or SaaS application. In s>es within a cloud service provider or SaaS application. In s
>ome cases, cloud accounts may be federated with traditional >ome cases, cloud accounts may be federated with traditional 
>identity management system, such as Window Active Directory.>identity management system, such as Window Active Directory.
>(Citation: AWS Identity Federation)(Citation: Google Federat> (Citation: AWS Identity Federation)(Citation: Google Federa
>ing GC)(Citation: Microsoft Deploying AD Federation)  Compro>ting GC)(Citation: Microsoft Deploying AD Federation)  Compr
>mised credentials for cloud accounts can be used to harvest >omised credentials for cloud accounts can be used to harvest
>sensitive data from online storage accounts and databases. A> sensitive data from online storage accounts and databases. 
>ccess to cloud accounts can also be abused to gain Initial A>Access to cloud accounts can also be abused to gain Initial 
>ccess to a network by abusing a [Trusted Relationship](https>Access to a network by abusing a [Trusted Relationship](http
>://attack.mitre.org/techniques/T1199). Similar to [Domain Ac>s://attack.mitre.org/techniques/T1199). Similar to [Domain A
>counts](https://attack.mitre.org/techniques/T1078/002), comp>ccounts](https://attack.mitre.org/techniques/T1078/002), com
>romise of federated cloud accounts may allow adversaries to >promise of federated cloud accounts may allow adversaries to
>more easily move laterally within an environment.> more easily move laterally within an environment.
", "changelog_mitigations": { "shared": [ "M1026: Privileged Account Management", "M1027: Password Policies" ], "new": [ "M1018: User Account Management", "M1032: Multi-factor Authentication" ], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-13 20:15:31.974000+00:00", "modified": "2020-09-16 19:41:43.491000+00:00", "name": "Default Accounts", "description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.(Citation: Microsoft Local Accounts Feb 2019)\n\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1078/001", "external_id": "T1078.001" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/70.html", "external_id": "CAPEC-70" }, { "source_name": "Microsoft Local Accounts Feb 2019", "description": "Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019.", "url": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts" }, { "source_name": "Metasploit SSH Module", "description": "undefined. (n.d.). Retrieved April 12, 2019.", "url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "AWS CloudTrail logs", "Stackdriver logs", "Authentication logs", "Process monitoring" ], "x_mitre_detection": "Monitor whether default accounts have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure", "Office 365", "Azure AD", "SaaS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-70\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:41:43.491000+00:00\", \"old_value\": \"2020-03-23 21:37:34.567000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Microsoft Local Accounts Feb 2019\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/70.html\", \"old_value\": \"https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Microsoft Local Accounts Feb 2019\", \"old_value\": \"Metasploit SSH Module\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019.\", \"old_value\": \"undefined. (n.d.). Retrieved April 12, 2019.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts\", \"old_value\": \"https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Metasploit SSH Module\", \"description\": \"undefined. (n.d.). Retrieved April 12, 2019.\", \"url\": \"https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1027: Password Policies" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-13 20:21:54.758000+00:00", "modified": "2020-09-16 19:42:11.787000+00:00", "name": "Domain Accounts", "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\n\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1078/002", "external_id": "T1078.002" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/560.html", "external_id": "CAPEC-560" }, { "source_name": "TechNet Credential Theft", "description": "Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.", "url": "https://technet.microsoft.com/en-us/library/dn535501.aspx" }, { "source_name": "Microsoft AD Accounts", "description": "Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020.", "url": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts" }, { "source_name": "TechNet Audit Policy", "description": "Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.", "url": "https://technet.microsoft.com/en-us/library/dn487457.aspx" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Authentication logs", "Process monitoring" ], "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User", "Administrator" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-560\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:42:11.787000+00:00\", \"old_value\": \"2020-03-23 21:08:40.063000+00:00\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"TechNet Credential Theft\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/560.html\", \"old_value\": \"https://technet.microsoft.com/en-us/library/dn535501.aspx\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"TechNet Credential Theft\", \"old_value\": \"Microsoft AD Accounts\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.\", \"old_value\": \"Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://technet.microsoft.com/en-us/library/dn535501.aspx\", \"old_value\": \"https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Microsoft AD Accounts\", \"old_value\": \"TechNet Audit Policy\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020.\", \"old_value\": \"Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts\", \"old_value\": \"https://technet.microsoft.com/en-us/library/dn487457.aspx\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"TechNet Audit Policy\", \"description\": \"Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.\", \"url\": \"https://technet.microsoft.com/en-us/library/dn487457.aspx\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "changelog_mitigations": { "shared": [ "M1026: Privileged Account Management", "M1032: Multi-factor Authentication" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } } ], "other_version_changes": [ { "type": "attack-pattern", "id": "attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-17 16:15:19.870000+00:00", "modified": "2020-10-09 13:46:29.701000+00:00", "name": "Systemd Service", "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1543/002", "external_id": "T1543.002" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/550.html", "external_id": "CAPEC-550" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/551.html", "external_id": "CAPEC-551" }, { "source_name": "Linux man-pages: systemd January 2014", "description": "Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.", "url": "http://man7.org/linux/man-pages/man1/systemd.1.html" }, { "source_name": "Freedesktop.org Linux systemd 29SEP2018", "description": "Freedesktop.org. (2018, September 29). systemd System and Service Manager. Retrieved April 23, 2019.", "url": "https://www.freedesktop.org/wiki/Software/systemd/" }, { "source_name": "Anomali Rocke March 2019", "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.", "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" }, { "source_name": "Rapid7 Service Persistence 22JUNE2016", "description": "Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.", "url": "https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Tony Lambert, Red Canary" ], "x_mitre_data_sources": [ "Process command-line parameters", "Process monitoring", "File monitoring" ], "x_mitre_detection": "Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of \u2018systemd\u2019, a parent process ID of 1, and will usually execute as the \u2018root\u2019 user.\n\nSuspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -\u2013type=service \u2013all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables.\n\nAuditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User", "root" ], "x_mitre_platforms": [ "Linux" ], "x_mitre_version": "1.2", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['external_id']\": \"CAPEC-550\", \"root['external_references'][2]['external_id']\": \"CAPEC-551\"}, \"dictionary_item_removed\": {\"root['external_references'][1]['description']\": \"Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.\", \"root['external_references'][2]['description']\": \"Freedesktop.org. (2018, September 29). systemd System and Service Manager. Retrieved April 23, 2019.\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-09 13:46:29.701000+00:00\", \"old_value\": \"2020-03-25 22:13:59.473000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\\n\\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\\n\\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \\n* ExecReload directive covers when a service restarts. \\n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\\n\\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\\n\\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)\", \"old_value\": \"Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\\n\\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\\n\\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \\n* ExecReload directive covers when a service restarts. \\n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\\n\\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)\\n\\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)\", \"diff\": \"--- \\n+++ \\n@@ -6,6 +6,6 @@\\n * ExecReload directive covers when a service restarts. \\n * ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\\n \\n-Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)\\n+Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\\n \\n While adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Linux man-pages: systemd January 2014\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/550.html\", \"old_value\": \"http://man7.org/linux/man-pages/man1/systemd.1.html\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"capec\", \"old_value\": \"Freedesktop.org Linux systemd 29SEP2018\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/551.html\", \"old_value\": \"https://www.freedesktop.org/wiki/Software/systemd/\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Linux man-pages: systemd January 2014\", \"old_value\": \"Anomali Rocke March 2019\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.\", \"old_value\": \"Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"http://man7.org/linux/man-pages/man1/systemd.1.html\", \"old_value\": \"https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Freedesktop.org Linux systemd 29SEP2018\", \"old_value\": \"gist Arch package compromise 10JUL2018\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Freedesktop.org. (2018, September 29). systemd System and Service Manager. Retrieved April 23, 2019.\", \"old_value\": \"Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://www.freedesktop.org/wiki/Software/systemd/\", \"old_value\": \"https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"Anomali Rocke March 2019\", \"old_value\": \"Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.\", \"old_value\": \"Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\", \"old_value\": \"https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/\"}, \"root['external_references'][6]['source_name']\": {\"new_value\": \"Rapid7 Service Persistence 22JUNE2016\", \"old_value\": \"acroread package compromised Arch Linux Mail 8JUL2018\"}, \"root['external_references'][6]['description']\": {\"new_value\": \"Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.\", \"old_value\": \"Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.\"}, \"root['external_references'][6]['url']\": {\"new_value\": \"https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence\", \"old_value\": \"https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.0\"}}, \"iterable_item_removed\": {\"root['external_references'][7]\": {\"source_name\": \"Rapid7 Service Persistence 22JUNE2016\", \"description\": \"Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.\", \"url\": \"https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.2", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may create or modify systemd services to repeatet1Adversaries may create or modify systemd services to repeate
>dly execute malicious payloads as part of persistence. The s>dly execute malicious payloads as part of persistence. The s
>ystemd service manager is commonly used for managing backgro>ystemd service manager is commonly used for managing backgro
>und daemon processes (also known as services) and other syst>und daemon processes (also known as services) and other syst
>em resources.(Citation: Linux man-pages: systemd January 201>em resources.(Citation: Linux man-pages: systemd January 201
>4)(Citation: Freedesktop.org Linux systemd 29SEP2018) System>4)(Citation: Freedesktop.org Linux systemd 29SEP2018) System
>d is the default initialization (init) system on many Linux >d is the default initialization (init) system on many Linux 
>distributions starting with Debian 8, Ubuntu 15.04, CentOS 7>distributions starting with Debian 8, Ubuntu 15.04, CentOS 7
>, RHEL 7, Fedora 15, and replaces legacy init systems includ>, RHEL 7, Fedora 15, and replaces legacy init systems includ
>ing SysVinit and Upstart while remaining backwards compatibl>ing SysVinit and Upstart while remaining backwards compatibl
>e with the aforementioned init systems.  Systemd utilizes co>e with the aforementioned init systems.  Systemd utilizes co
>nfiguration files known as service units to control how serv>nfiguration files known as service units to control how serv
>ices boot and under what conditions. By default, these unit >ices boot and under what conditions. By default, these unit 
>files are stored in the <code>/etc/systemd/system</code> and>files are stored in the <code>/etc/systemd/system</code> and
> <code>/usr/lib/systemd/system</code> directories and have t> <code>/usr/lib/systemd/system</code> directories and have t
>he file extension <code>.service</code>. Each service unit f>he file extension <code>.service</code>. Each service unit f
>ile may contain numerous directives that can execute system >ile may contain numerous directives that can execute system 
>commands:  * ExecStart, ExecStartPre, and ExecStartPost dire>commands:  * ExecStart, ExecStartPre, and ExecStartPost dire
>ctives cover execution of commands when a services is starte>ctives cover execution of commands when a services is starte
>d manually by 'systemctl' or on system start if the service >d manually by 'systemctl' or on system start if the service 
>is set to automatically start.  * ExecReload directive cover>is set to automatically start.  * ExecReload directive cover
>s when a service restarts.  * ExecStop and ExecStopPost dire>s when a service restarts.  * ExecStop and ExecStopPost dire
>ctives cover when a service is stopped or manually by 'syste>ctives cover when a service is stopped or manually by 'syste
>mctl'.  Adversaries have used systemd functionality to estab>mctl'.  Adversaries have used systemd functionality to estab
>lish persistent access to victim systems by creating and/or >lish persistent access to victim systems by creating and/or 
>modifying service unit files that cause systemd to execute m>modifying service unit files that cause systemd to execute m
>alicious commands at recurring intervals, such as at system >alicious commands at system boot.(Citation: Anomali Rocke Ma
>boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arc>rch 2019)  While adversaries typically require root privileg
>h package compromise 10JUL2018)(Citation: Arch Linux Package>es to create/modify service unit files in the <code>/etc/sys
> Systemd Compromise BleepingComputer 10JUL2018)(Citation: ac>temd/system</code> and <code>/usr/lib/systemd/system</code> 
>roread package compromised Arch Linux Mail 8JUL2018)  While >directories, low privilege users can create/modify service u
>adversaries typically require root privileges to create/modi>nit files in directories such as <code>~/.config/systemd/use
>fy service unit files in the <code>/etc/systemd/system</code>r/</code> to achieve user-level persistence.(Citation: Rapid
>> and <code>/usr/lib/systemd/system</code> directories, low >7 Service Persistence 22JUNE2016)
>privilege users can create/modify service unit files in dire 
>ctories such as <code>~/.config/systemd/user/</code> to achi 
>eve user-level persistence.(Citation: Rapid7 Service Persist 
>ence 22JUNE2016) 
", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1022: Restrict File and Directory Permissions", "M1026: Privileged Account Management", "M1033: Limit Software Installation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } } ], "patches": [ { "type": "attack-pattern", "id": "attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-30 13:58:14.373000+00:00", "modified": "2020-07-22 21:36:52.825000+00:00", "name": "Abuse Elevation Control Mechanism", "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1548", "external_id": "T1548" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Windows Registry", "File monitoring", "Process command-line parameters", "API monitoring", "Process monitoring" ], "x_mitre_detection": "Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).\n\nConsider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.\n\nOn Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.\n\nThere are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-07-22 21:36:52.825000+00:00\", \"old_value\": \"2020-06-25 19:57:54.923000+00:00\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1022: Restrict File and Directory Permissions", "M1026: Privileged Account Management", "M1028: Operating System Configuration", "M1038: Execution Prevention", "M1047: Audit", "M1052: User Account Control" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:12.196000+00:00", "modified": "2020-10-05 16:43:29.473000+00:00", "name": "Account Manipulation", "description": "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1098", "external_id": "T1098" }, { "source_name": "Microsoft User Modified Event", "description": "Lich, B., Miroshnikov, A. (2017, April 5). 4738(S): A user account was changed. Retrieved June 30, 2017.", "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738" }, { "source_name": "Microsoft Security Event 4670", "description": "Franklin Smith, R. (n.d.). Windows Security Log Event ID 4670. Retrieved November 4, 2019.", "url": "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670" }, { "source_name": "InsiderThreat ChangeNTLM July 2017", "description": "Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017.", "url": "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM" }, { "source_name": "GitHub Mimikatz Issue 92 June 2017", "description": "Warren, J. (2017, June 22). lsadump::changentlm and lsadump::setntlm work, but generate Windows events #92. Retrieved December 4, 2017.", "url": "https://github.com/gentilkiwi/mimikatz/issues/92" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)", "Praetorian", "Tim MalcomVetter" ], "x_mitre_data_sources": [ "Authentication logs", "Windows event logs" ], "x_mitre_detection": "Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017)\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.\n\nMonitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Windows", "Office 365", "Azure", "GCP", "Azure AD", "AWS", "Linux", "macOS" ], "x_mitre_version": "2.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-05 16:43:29.473000+00:00\", \"old_value\": \"2020-07-15 12:43:37.469000+00:00\"}}}", "previous_version": "2.1", "changelog_mitigations": { "shared": [ "M1026: Privileged Account Management", "M1028: Operating System Configuration", "M1030: Network Segmentation", "M1032: Multi-factor Authentication" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:30:56.776000+00:00", "modified": "2020-10-21 16:35:45.986000+00:00", "name": "Application Layer Protocol", "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1071", "external_id": "T1071" }, { "source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "DNS records", "Network protocol analysis", "Packet capture", "Netflow/Enclave netflow", "Process use of network", "Process monitoring" ], "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)", "x_mitre_is_subtechnique": false, "x_mitre_network_requirements": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "2.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 16:35:45.986000+00:00\", \"old_value\": \"2020-03-27 19:02:44.772000+00:00\"}}}", "previous_version": "2.0", "changelog_mitigations": { "shared": [ "M1031: Network Intrusion Prevention" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-15 16:27:31.768000+00:00", "modified": "2020-10-21 16:26:34.196000+00:00", "name": "DNS", "description": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1071/004", "external_id": "T1071.004" }, { "source_name": "PAN DNS Tunneling", "description": "Palo Alto Networks. (n.d.). What Is DNS Tunneling?. Retrieved March 15, 2020.", "url": "https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling" }, { "source_name": "Medium DnsTunneling", "description": "Galobardes, R. (2018, October 30). Learn how easy is to bypass firewalls using DNS tunneling (and also how to block it). Retrieved March 15, 2020.", "url": "https://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000" }, { "source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Jan Petrov, Citi" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "DNS records", "Process monitoring", "Process use of network", "Packet capture" ], "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for DNS traffic to/from known-bad or suspicious domains.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 16:26:34.196000+00:00\", \"old_value\": \"2020-03-27 19:02:44.600000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Netflow/Enclave netflow\"}, \"iterable_item_removed\": {\"root['x_mitre_data_sources'][1]\": \"Netflow/Enclave netflow\", \"root['x_mitre_data_sources'][4]\": \"Netflow/Enclave netflow\"}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1031: Network Intrusion Prevention", "M1037: Filter Network Traffic" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-15 16:16:25.763000+00:00", "modified": "2020-08-21 14:41:22.911000+00:00", "name": "File Transfer Protocols", "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1071/002", "external_id": "T1071.002" }, { "source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Network protocol analysis", "Process monitoring", "Process use of network", "Netflow/Enclave netflow", "Packet capture" ], "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.(Citation: University of Birmingham C2)", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-21 14:41:22.911000+00:00\", \"old_value\": \"2020-03-26 20:26:46.465000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n\\nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \", \"old_value\": \"Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n\\nProtocols such as FTP, FTPS, and TFPT that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n \\n-Protocols such as FTP, FTPS, and TFPT that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \\n+Protocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \"}}}", "previous_version": "1.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may communicate using application layer protocolt1Adversaries may communicate using application layer protocol
>s associated with transferring files to avoid detection/netw>s associated with transferring files to avoid detection/netw
>ork filtering by blending in with existing traffic. Commands>ork filtering by blending in with existing traffic. Commands
> to the remote system, and often the results of those comman> to the remote system, and often the results of those comman
>ds, will be embedded within the protocol traffic between the>ds, will be embedded within the protocol traffic between the
> client and server.   Protocols such as FTP, FTPS, and TFP> client and server.   Protocols such as FTP, FTPS, and TFTP 
>that transfer files may be very common in environments.  Pac>that transfer files may be very common in environments.  Pac
>kets produced from these protocols may have many fields and >kets produced from these protocols may have many fields and 
>headers in which data can be concealed. Data could also be c>headers in which data can be concealed. Data could also be c
>oncealed within the transferred files. An adversary may abus>oncealed within the transferred files. An adversary may abus
>e these protocols to communicate with systems under their co>e these protocols to communicate with systems under their co
>ntrol within a victim network while also mimicking normal, e>ntrol within a victim network while also mimicking normal, e
>xpected traffic. >xpected traffic. 
", "changelog_mitigations": { "shared": [ "M1031: Network Intrusion Prevention" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-15 16:21:45.131000+00:00", "modified": "2020-10-21 16:35:45.633000+00:00", "name": "Mail Protocols", "description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1071/003", "external_id": "T1071.003" }, { "source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Network protocol analysis", "Process monitoring", "Process use of network", "Netflow/Enclave netflow", "Packet capture" ], "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 16:35:45.633000+00:00\", \"old_value\": \"2020-03-26 20:28:00.985000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n\\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \", \"old_value\": \"Adversaries may communicate using application layer protocols associated with electronic map delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n\\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may communicate using application layer protocols associated with electronic map delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n+Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n \\n Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \"}}}", "previous_version": "1.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may communicate using application layer protocolt1Adversaries may communicate using application layer protocol
>s associated with electronic map delivery to avoid detection>s associated with electronic mail delivery to avoid detectio
>/network filtering by blending in with existing traffic. Com>n/network filtering by blending in with existing traffic. Co
>mands to the remote system, and often the results of those c>mmands to the remote system, and often the results of those 
>ommands, will be embedded within the protocol traffic betwee>commands, will be embedded within the protocol traffic betwe
>n the client and server.   Protocols such as SMTP/S, POP3/S,>en the client and server.   Protocols such as SMTP/S, POP3/S
> and IMAP that carry electronic mail may be very common in e>, and IMAP that carry electronic mail may be very common in 
>nvironments.  Packets produced from these protocols may have>environments.  Packets produced from these protocols may hav
> many fields and headers in which data can be concealed. Dat>e many fields and headers in which data can be concealed. Da
>a could also be concealed within the email messages themselv>ta could also be concealed within the email messages themsel
>es. An adversary may abuse these protocols to communicate wi>ves. An adversary may abuse these protocols to communicate w
>th systems under their control within a victim network while>ith systems under their control within a victim network whil
> also mimicking normal, expected traffic. >e also mimicking normal, expected traffic. 
", "changelog_mitigations": { "shared": [ "M1031: Network Intrusion Prevention" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-20 20:53:45.725000+00:00", "modified": "2020-10-21 16:36:55.831000+00:00", "name": "Archive Collected Data", "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1560", "external_id": "T1560" }, { "source_name": "Wikipedia File Header Signatures", "description": "Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.", "url": "https://en.wikipedia.org/wiki/List_of_file_signatures" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Process monitoring", "Process command-line parameters", "File monitoring", "Binary file metadata" ], "x_mitre_detection": "Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 16:36:55.831000+00:00\", \"old_value\": \"2020-03-29 18:27:31.040000+00:00\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:22.767000+00:00", "modified": "2020-10-21 16:38:27.781000+00:00", "name": "Brute Force", "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1110", "external_id": "T1110" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/49.html", "external_id": "CAPEC-49" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Ed Williams, Trustwave, SpiderLabs" ], "x_mitre_data_sources": [ "Office 365 account logs", "Authentication logs" ], "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. Also monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "Office 365", "Azure AD", "SaaS", "GCP", "AWS", "Azure" ], "x_mitre_version": "2.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 16:38:27.781000+00:00\", \"old_value\": \"2020-07-09 17:01:18.302000+00:00\"}}}", "previous_version": "2.1", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1027: Password Policies", "M1032: Multi-factor Authentication", "M1036: Account Use Policies", "T1110: Brute Force Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-10 16:03:18.865000+00:00", "modified": "2020-10-09 13:46:29.922000+00:00", "name": "Create or Modify System Process", "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection). ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1543", "external_id": "T1543" }, { "source_name": "TechNet Services", "description": "Microsoft. (n.d.). Services. Retrieved June 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/cc772408.aspx" }, { "source_name": "AppleDocs Launch Agent Daemons", "description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.", "url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" }, { "source_name": "OSX Malware Detection", "description": "Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.", "url": "https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Windows event logs", "Windows Registry", "File monitoring", "Process command-line parameters", "Process monitoring" ], "x_mitre_detection": "Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. \n\nCommand-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. \n\nMonitor for changes to files associated with system-level processes.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Windows", "macOS", "Linux" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-09 13:46:29.922000+00:00\", \"old_value\": \"2020-03-25 22:32:16.537000+00:00\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1022: Restrict File and Directory Permissions", "M1033: Limit Software Installation", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-15 13:59:30.390000+00:00", "modified": "2020-10-14 14:52:11.708000+00:00", "name": "Data Encrypted for Impact", "description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)\n\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1486", "external_id": "T1486" }, { "source_name": "US-CERT Ransomware 2016", "description": "US-CERT. (2016, March 31). Alert (TA16-091A): Ransomware and Recent Variants. Retrieved March 15, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA16-091A" }, { "source_name": "FireEye WannaCry 2017", "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" }, { "source_name": "US-CERT NotPetya 2017", "description": "US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-181A" }, { "source_name": "US-CERT SamSam 2018", "description": "US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/AA18-337A" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Kernel drivers", "File monitoring", "Process command-line parameters", "Process monitoring" ], "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\n\nIn some cases, monitoring for unusual kernel driver installation activity can aid in detection.", "x_mitre_impact_type": [ "Availability" ], "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User", "Administrator", "root", "SYSTEM" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-14 14:52:11.708000+00:00\", \"old_value\": \"2020-03-27 21:09:28.699000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\\n\\nIn some cases, monitoring for unusual kernel driver installation activity can aid in detection.\", \"old_value\": \"Use process monitoring to monitor the execution and command line parameters of of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\\n\\nIn some cases, monitoring for unusual kernel driver installation activity can aid in detection.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Use process monitoring to monitor the execution and command line parameters of of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\\n+Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\\n \\n In some cases, monitoring for unusual kernel driver installation activity can aid in detection.\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1053: Data Backup", "T1486: Data Encrypted for Impact Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:30:58.938000+00:00", "modified": "2020-09-14 19:48:08.180000+00:00", "name": "Data Staged", "description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1074", "external_id": "T1074" }, { "source_name": "PWC Cloud Hopper April 2017", "description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.", "url": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" }, { "source_name": "Mandiant M-Trends 2020", "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Praetorian", "Shane Tully, @securitygypsy" ], "x_mitre_data_sources": [ "File monitoring", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-14 19:48:08.180000+00:00\", \"old_value\": \"2020-06-24 18:59:16.039000+00:00\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\", \"old_value\": \"FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\"}}}", "previous_version": "1.2", "changelog_mitigations": { "shared": [ "T1074: Data Staged Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-13 21:14:58.206000+00:00", "modified": "2020-09-14 19:48:07.491000+00:00", "name": "Remote Data Staging", "description": "Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nBy staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1074/002", "external_id": "T1074.002" }, { "source_name": "Mandiant M-Trends 2020", "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Praetorian" ], "x_mitre_data_sources": [ "Process command-line parameters", "Process monitoring", "File monitoring" ], "x_mitre_detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-14 19:48:07.491000+00:00\", \"old_value\": \"2020-06-24 18:59:15.833000+00:00\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\", \"old_value\": \"FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-02-14 16:15:05.974000+00:00", "modified": "2020-09-17 18:26:17.858000+00:00", "name": "Domain Trust Discovery", "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1482", "external_id": "T1482" }, { "source_name": "Microsoft Trusts", "description": "Microsoft. (2009, October 7). Trust Technologies. Retrieved February 14, 2019.", "url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)" }, { "source_name": "AdSecurity Forging Trust Tickets", "description": "Metcalf, S. (2015, July 15). It\u2019s All About Trust \u2013 Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts. Retrieved February 14, 2019.", "url": "https://adsecurity.org/?p=1588" }, { "source_name": "Harmj0y Domain Trusts", "description": "Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019.", "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/" }, { "source_name": "Microsoft Operation Wilysupply", "description": "Florio, E.. (2017, May 4). Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack. Retrieved February 14, 2019.", "url": "https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/" }, { "source_name": "Microsoft GetAllTrustRelationships", "description": "Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019.", "url": "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Dave Westgard", "Elia Florio, Microsoft", "Mnemonic", "RedHuntLabs, @redhuntlabs" ], "x_mitre_data_sources": [ "PowerShell logs", "API monitoring", "Process command-line parameters", "Process monitoring" ], "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information, such as `nltest /domain_trusts`. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the `DSEnumerateDomainTrusts()` Win32 API call to spot activity associated with [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Harmj0y Domain Trusts) Information may also be acquired through Windows system management tools such as [PowerShell](https://attack.mitre.org/techniques/T1059/001). The .NET method `GetAllTrustRelationships()` can be an indicator of [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Microsoft GetAllTrustRelationships)\n", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-17 18:26:17.858000+00:00\", \"old_value\": \"2020-03-26 16:13:21.085000+00:00\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/\", \"old_value\": \"http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ \"}}}", "previous_version": "1.1", "changelog_mitigations": { "shared": [ "M1030: Network Segmentation", "M1047: Audit", "T1482: Domain Trust Discovery Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-10 17:28:11.747000+00:00", "modified": "2020-10-02 01:37:39.938000+00:00", "name": "Dynamic Resolution", "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1568", "external_id": "T1568" }, { "source_name": "Talos CCleanup 2017", "description": "Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.", "url": "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html" }, { "source_name": "FireEye POSHSPY April 2017", "description": "Dunwoody, M.. (2017, April 3). Dissecting One of APT29\u2019s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" }, { "source_name": "ESET Sednit 2017 Activity", "description": "ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.", "url": "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" }, { "source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Chris Roffe" ], "x_mitre_data_sources": [ "SSL/TLS inspection", "Web logs", "DNS records" ], "x_mitre_detection": "Detecting dynamically generated C2 can be challenging due to the number of different algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are multiple approaches to detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more (Citation: Data Driven Security DGA). CDN domains may trigger these detections due to the format of their domain names. In addition to detecting algorithm generated domains based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-02 01:37:39.938000+00:00\", \"old_value\": \"2020-03-27 20:54:28.560000+00:00\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1021: Restrict Web-Based Content", "M1031: Network Intrusion Prevention" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-10 17:44:59.787000+00:00", "modified": "2020-10-02 01:37:39.618000+00:00", "name": "Domain Generation Algorithms", "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\n\nDGAs can take the form of apparently random or \u201cgibberish\u201d strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)\n\nAdversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1568/002", "external_id": "T1568.002" }, { "source_name": "Cybereason Dissecting DGAs", "description": "Sternfeld, U. (2016). Dissecting Domain Generation Algorithms: Eight Real World DGA Variants. Retrieved February 18, 2019.", "url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf" }, { "source_name": "Cisco Umbrella DGA", "description": "Scarfo, A. (2016, October 10). Domain Generation Algorithms \u2013 Why so effective?. Retrieved February 18, 2019.", "url": "https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/" }, { "source_name": "Unit 42 DGA Feb 2019", "description": "Unit 42. (2019, February 7). Threat Brief: Understanding Domain Generation Algorithms (DGA). Retrieved February 19, 2019.", "url": "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/" }, { "source_name": "Talos CCleanup 2017", "description": "Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.", "url": "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html" }, { "source_name": "Akamai DGA Mitigation", "description": "Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of Domain Generation Algorithms. Retrieved February 18, 2019.", "url": "https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html" }, { "source_name": "FireEye POSHSPY April 2017", "description": "Dunwoody, M.. (2017, April 3). Dissecting One of APT29\u2019s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" }, { "source_name": "ESET Sednit 2017 Activity", "description": "ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.", "url": "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" }, { "source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" }, { "source_name": "Pace University Detecting DGA May 2017", "description": "Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically Generated Domains Using Data Visualization and N-Grams Methods . Retrieved April 26, 2019.", "url": "http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf" }, { "source_name": "Endgame Predicting DGA", "description": "Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November 2). Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Retrieved April 26, 2019.", "url": "https://arxiv.org/pdf/1611.00791.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Ryan Benson, Exabeam", "Barry Shteiman, Exabeam", "Sylvain Gil, Exabeam" ], "x_mitre_data_sources": [ "DNS records", "Netflow/Enclave netflow", "Network device logs", "Packet capture", "Process use of network" ], "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\n\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-02 01:37:39.618000+00:00\", \"old_value\": \"2020-03-12 14:45:22.784000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\\n\\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)\", \"old_value\": \"Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\\n\\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain or related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\\n \\n-Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain or related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)\\n+Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1021: Restrict Web-Based Content", "M1031: Network Intrusion Prevention", "T1483: Domain Generation Algorithms Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-19 18:54:47.103000+00:00", "modified": "2020-10-19 22:43:45.509000+00:00", "name": "Email Forwarding Rule", "description": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim\u2019s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Outlook and Outlook Web App (OWA) allow users to create inbox rules for various email functions, including forwarding to a different recipient. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) \n\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1114/003", "external_id": "T1114.003" }, { "source_name": "US-CERT TA18-068A 2018", "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" }, { "source_name": "Microsoft Tim McMichael Exchange Mail Forwarding 2", "description": "McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019.", "url": "https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)" ], "x_mitre_data_sources": [ "Process use of network", "Process monitoring", "Email gateway", "Mail server", "Office 365 trace logs" ], "x_mitre_detection": "Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Office 365", "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-19 22:43:45.509000+00:00\", \"old_value\": \"2020-03-24 18:29:48.994000+00:00\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1041: Encrypt Sensitive Information", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--c675646d-e204-4aa8-978d-e3d6d65885c4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-04-18 11:00:55.862000+00:00", "modified": "2020-09-16 15:56:03.459000+00:00", "name": "Endpoint Denial of Service", "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)\n\nIn cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)\n\nFor attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\n", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1499", "external_id": "T1499" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/227.html", "external_id": "CAPEC-227" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/131.html", "external_id": "CAPEC-131" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/130.html", "external_id": "CAPEC-130" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/125.html", "external_id": "CAPEC-125" }, { "source_name": "FireEye OpPoisonedHandover February 2016", "description": "Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong\u2019s Pro-Democracy Movement. Retrieved April 18, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html" }, { "source_name": "FSISAC FraudNetDoS September 2012", "description": "FS-ISAC. (2012, September 17). Fraud Alert \u2013 Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved April 18, 2019.", "url": "https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf" }, { "source_name": "Symantec DDoS October 2014", "description": "Wueest, C.. (2014, October 21). The continued rise of DDoS attacks. Retrieved April 24, 2019.", "url": "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf" }, { "source_name": "USNYAG IranianBotnet March 2016", "description": "Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019.", "url": "https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged" }, { "source_name": "ArsTechnica Great Firewall of China", "description": "Goodin, D.. (2015, March 31). Massive denial-of-service attack on GitHub tied to Chinese government. Retrieved April 19, 2019.", "url": "https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/" }, { "source_name": "Cisco DoSdetectNetflow", "description": "Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.", "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "SSL/TLS inspection", "Web logs", "Web application firewall logs", "Network intrusion detection system", "Network protocol analysis", "Network device logs", "Netflow/Enclave netflow" ], "x_mitre_detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.", "x_mitre_impact_type": [ "Availability" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure", "Office 365", "Azure AD", "SaaS" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 15:56:03.459000+00:00\", \"old_value\": \"2020-03-29 02:07:27.676000+00:00\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1037: Filter Network Traffic", "T1499: Endpoint Denial of Service Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-24 14:56:24.231000+00:00", "modified": "2020-05-04 19:05:30.140000+00:00", "name": "Application Shimming", "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1546/011", "external_id": "T1546.011" }, { "source_name": "Endgame Process Injection July 2017", "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.", "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" }, { "source_name": "FireEye Application Shimming", "description": "Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved May 4, 2020.", "url": "http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf" }, { "source_name": "Black Hat 2015 App Shim", "description": "Pierce, Sean. (2015, November). Defending Against Malicious Application Compatibility Shims. Retrieved June 22, 2017.", "url": "https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Process command-line parameters", "Process monitoring", "Windows Registry" ], "x_mitre_detection": "There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim):\n\n* Shim-Process-Scanner - checks memory of every running process for any shim flags\n* Shim-Detector-Lite - detects installation of custom shim databases\n* Shim-Guard - monitors registry for any shim installations\n* ShimScanner - forensic tool to find active shims in memory\n* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)\n\nMonitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['description']\": {\"new_value\": \"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017)\\n\\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \\n\\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\\n\\n* %WINDIR%\\\\AppPatch\\\\sysmain.sdb and\\n* hklm\\\\software\\\\microsoft\\\\windows nt\\\\currentversion\\\\appcompatflags\\\\installedsdb\\n\\nCustom databases are stored in:\\n\\n* %WINDIR%\\\\AppPatch\\\\custom & %WINDIR%\\\\AppPatch\\\\AppPatch64\\\\Custom and\\n* hklm\\\\software\\\\microsoft\\\\windows nt\\\\currentversion\\\\appcompatflags\\\\custom\\n\\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\\n\\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.\", \"old_value\": \"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017)\\n\\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \\n\\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\\n\\n* %WINDIR%\\\\AppPatch\\\\sysmain.sdb and\\n* hklm\\\\software\\\\microsoft\\\\windows nt\\\\currentversion\\\\appcompatflags\\\\installedsdb\\n\\nCustom databases are stored in:\\n\\n* %WINDIR%\\\\AppPatch\\\\custom & %WINDIR%\\\\AppPatch\\\\AppPatch64\\\\Custom and\\n* hklm\\\\software\\\\microsoft\\\\windows nt\\\\currentversion\\\\appcompatflags\\\\custom\\n\\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\\n\\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.\", \"diff\": \"--- \\n+++ \\n@@ -12,6 +12,6 @@\\n * %WINDIR%\\\\AppPatch\\\\custom & %WINDIR%\\\\AppPatch\\\\AppPatch64\\\\Custom and\\n * hklm\\\\software\\\\microsoft\\\\windows nt\\\\currentversion\\\\appcompatflags\\\\custom\\n \\n-To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\\n+To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\\n \\n Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.\"}}}", "previous_version": "1.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may establish persistence and/or elevate privilet1Adversaries may establish persistence and/or elevate privile
>ges by executing malicious content triggered by application >ges by executing malicious content triggered by application 
>shims. The Microsoft Windows Application Compatibility Infra>shims. The Microsoft Windows Application Compatibility Infra
>structure/Framework (Application Shim) was created to allow >structure/Framework (Application Shim) was created to allow 
>for backward compatibility of software as the operating syst>for backward compatibility of software as the operating syst
>em codebase changes over time. For example, the application >em codebase changes over time. For example, the application 
>shimming feature allows developers to apply fixes to applica>shimming feature allows developers to apply fixes to applica
>tions (without rewriting code) that were created for Windows>tions (without rewriting code) that were created for Windows
> XP so that it will work with Windows 10. (Citation: Endgame> XP so that it will work with Windows 10. (Citation: Endgame
> Process Injection July 2017)  Within the framework, shims a> Process Injection July 2017)  Within the framework, shims a
>re created to act as a buffer between the program (or more s>re created to act as a buffer between the program (or more s
>pecifically, the Import Address Table) and the Windows OS. W>pecifically, the Import Address Table) and the Windows OS. W
>hen a program is executed, the shim cache is referenced to d>hen a program is executed, the shim cache is referenced to d
>etermine if the program requires the use of the shim databas>etermine if the program requires the use of the shim databas
>e (.sdb). If so, the shim database uses hooking to redirect >e (.sdb). If so, the shim database uses hooking to redirect 
>the code as necessary in order to communicate with the OS.  >the code as necessary in order to communicate with the OS.  
> A list of all shims currently installed by the default Wind> A list of all shims currently installed by the default Wind
>ows installer (sdbinst.exe) is kept in:  * <code>%WINDIR%\\Ap>ows installer (sdbinst.exe) is kept in:  * <code>%WINDIR%\\Ap
>pPatch\\sysmain.sdb</code> and * <code>hklm\\software\\microsof>pPatch\\sysmain.sdb</code> and * <code>hklm\\software\\microsof
>t\\windows nt\\currentversion\\appcompatflags\\installedsdb</cod>t\\windows nt\\currentversion\\appcompatflags\\installedsdb</cod
>e>  Custom databases are stored in:  * <code>%WINDIR%\\AppPat>e>  Custom databases are stored in:  * <code>%WINDIR%\\AppPat
>ch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom</code> and *>ch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom</code> and *
> <code>hklm\\software\\microsoft\\windows nt\\currentversion\\app> <code>hklm\\software\\microsoft\\windows nt\\currentversion\\app
>compatflags\\custom</code>  To keep shims secure, Windows des>compatflags\\custom</code>  To keep shims secure, Windows des
>igned them to run in user mode so they cannot modify the ker>igned them to run in user mode so they cannot modify the ker
>nel and you must have administrator privileges to install a >nel and you must have administrator privileges to install a 
>shim. However, certain shims can be used to [Bypass User Acc>shim. However, certain shims can be used to [Bypass User Acc
>ess Control](https://attack.mitre.org/techniques/T1548/002) >ount Control](https://attack.mitre.org/techniques/T1548/002)
>(UAC and RedirectEXE), inject DLLs into processes (InjectDLL> (UAC and RedirectEXE), inject DLLs into processes (InjectDL
>), disable Data Execution Prevention (DisableNX) and Structu>L), disable Data Execution Prevention (DisableNX) and Struct
>re Exception Handling (DisableSEH), and intercept memory add>ure Exception Handling (DisableSEH), and intercept memory ad
>resses (GetProcAddress).  Utilizing these shims may allow an>dresses (GetProcAddress).  Utilizing these shims may allow a
> adversary to perform several malicious acts such as elevate>n adversary to perform several malicious acts such as elevat
> privileges, install backdoors, disable defenses like Window>e privileges, install backdoors, disable defenses like Windo
>s Defender, etc. (Citation: FireEye Application Shimming) Sh>ws Defender, etc. (Citation: FireEye Application Shimming) S
>ims can also be abused to establish persistence by continuou>hims can also be abused to establish persistence by continuo
>sly being invoked by affected programs.>usly being invoked by affected programs.
", "changelog_mitigations": { "shared": [ "M1051: Update Software", "M1052: User Account Control" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17 00:14:20.652000+00:00", "modified": "2020-09-01 20:05:05.562000+00:00", "name": "File and Directory Permissions Modification", "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory\u2019s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [.bash_profile and .bashrc](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1222", "external_id": "T1222" }, { "source_name": "Hybrid Analysis Icacls1 June 2018", "description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.", "url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100" }, { "source_name": "Hybrid Analysis Icacls2 May 2018", "description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.", "url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110" }, { "source_name": "EventTracker File Permissions Feb 2014", "description": "Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018.", "url": "https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "CrowdStrike Falcon OverWatch", "Jan Miller, CrowdStrike" ], "x_mitre_data_sources": [ "File monitoring", "Process monitoring", "Process command-line parameters", "Windows event logs" ], "x_mitre_defense_bypassed": [ "File system access controls" ], "x_mitre_detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM", "root" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_version": "2.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-01 20:05:05.562000+00:00\", \"old_value\": \"2020-03-29 23:12:40.212000+00:00\"}}}", "previous_version": "2.1", "changelog_mitigations": { "shared": [ "M1022: Restrict File and Directory Permissions", "M1026: Privileged Account Management" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-26 17:41:25.933000+00:00", "modified": "2020-09-23 11:31:50.636000+00:00", "name": "Hide Artifacts", "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1564", "external_id": "T1564" }, { "source_name": "Sofacy Komplex Trojan", "description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/" }, { "source_name": "Cybereason OSX Pirrit", "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020.", "url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf" }, { "source_name": "MalwareBytes ADS July 2015", "description": "Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.", "url": "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/" }, { "source_name": "Sophos Ragnar May 2020", "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.", "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "API monitoring", "PowerShell logs", "Authentication logs", "Process command-line parameters", "Process monitoring", "File monitoring" ], "x_mitre_detection": "Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-23 11:31:50.636000+00:00\", \"old_value\": \"2020-07-06 19:03:40.511000+00:00\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020.\", \"old_value\": \"Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 8, 2017.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf\", \"old_value\": \"https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-13 20:12:40.876000+00:00", "modified": "2020-07-31 17:42:43.768000+00:00", "name": "Hidden Users", "description": "Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.\n\nThere is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1564/002", "external_id": "T1564.002" }, { "source_name": "Cybereason OSX Pirrit", "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020.", "url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "File monitoring", "Authentication logs" ], "x_mitre_detection": "This technique prevents the new user from showing up at the log in screen, but all of the other signs of a new user still exist. The user still gets a home directory and will appear in the authentication logs.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "root", "Administrator" ], "x_mitre_platforms": [ "macOS" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-07-31 17:42:43.768000+00:00\", \"old_value\": \"2020-03-29 22:36:25.994000+00:00\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020.\", \"old_value\": \"Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 8, 2017.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf\", \"old_value\": \"https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1028: Operating System Configuration" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-12 20:38:12.465000+00:00", "modified": "2020-10-17 15:15:28.288000+00:00", "name": "Hijack Execution Flow", "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1574", "external_id": "T1574" }, { "source_name": "Autoruns for Windows", "description": "Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.", "url": "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Environment variable", "Loaded DLLs", "Process command-line parameters", "Process monitoring", "File monitoring", "DLL monitoring" ], "x_mitre_defense_bypassed": [ "Anti-virus", "Application control" ], "x_mitre_detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.\n\nLook for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nMonitor for changes to environment variables, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.\n\nService changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-17 15:15:28.288000+00:00\", \"old_value\": \"2020-06-26 16:09:59.324000+00:00\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1022: Restrict File and Directory Permissions", "M1024: Restrict Registry Permissions", "M1038: Execution Prevention", "M1044: Restrict Library Loading", "M1047: Audit", "M1051: Update Software", "M1052: User Account Control" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-06-24 22:30:55.843000+00:00", "modified": "2020-06-26 16:09:58.920000+00:00", "name": "COR_PROFILER", "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1574/012", "external_id": "T1574.012" }, { "source_name": "Microsoft Profiling Mar 2017", "description": "Microsoft. (2017, March 30). Profiling Overview. Retrieved June 24, 2020.", "url": "https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview" }, { "source_name": "Microsoft COR_PROFILER Feb 2013", "description": "Microsoft. (2013, February 4). Registry-Free Profiler Startup and Attach. Retrieved June 24, 2020.", "url": "https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)" }, { "source_name": "RedCanary Mockingbird May 2020", "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.", "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/" }, { "source_name": "Red Canary COR_PROFILER May 2020", "description": "Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020.", "url": "https://redcanary.com/blog/cor_profiler-for-persistence/" }, { "source_name": "Almond COR_PROFILER Apr 2019", "description": "Almond. (2019, April 30). UAC bypass via elevated .NET applications. Retrieved June 24, 2020.", "url": "https://offsec.almond.consulting/UAC-bypass-dotnet.html" }, { "source_name": "GitHub OmerYa Invisi-Shell", "description": "Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, 2020.", "url": "https://github.com/OmerYa/Invisi-Shell" }, { "source_name": "subTee .NET Profilers May 2017", "description": "Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET Profilers. Retrieved June 24, 2020.", "url": "https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Jesse Brown, Red Canary" ], "x_mitre_data_sources": [ "Windows Registry", "File monitoring", "Process monitoring", "Process command-line parameters" ], "x_mitre_detection": "For detecting system and user scope abuse of the COR_PROFILER, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools. Extra scrutiny should be placed on suspicious modification of these Registry keys by command line tools like wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection. For system, user, and process scope abuse of the COR_PROFILER, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.(Citation: Red Canary COR_PROFILER May 2020) Consider monitoring for DLL files that are associated with COR_PROFILER environment variables.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User", "Administrator" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['description']\": {\"new_value\": \"Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\\n\\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\\n\\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)\", \"old_value\": \"Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\\n\\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\\n\\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)\", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\\n \\n-Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)\\n+Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)\"}}}", "previous_version": "1.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may leverage the COR_PROFILER environment variabt1Adversaries may leverage the COR_PROFILER environment variab
>le to hijack the execution flow of programs that load the .N>le to hijack the execution flow of programs that load the .N
>ET CLR. The COR_PROFILER is a .NET Framework feature which a>ET CLR. The COR_PROFILER is a .NET Framework feature which a
>llows developers to specify an unmanaged (or external of .NE>llows developers to specify an unmanaged (or external of .NE
>T) profiling DLL to be loaded into each .NET process that lo>T) profiling DLL to be loaded into each .NET process that lo
>ads the Common Language Runtime (CLR). These profiliers are >ads the Common Language Runtime (CLR). These profiliers are 
>designed to monitor, troubleshoot, and debug managed code ex>designed to monitor, troubleshoot, and debug managed code ex
>ecuted by the .NET CLR.(Citation: Microsoft Profiling Mar 20>ecuted by the .NET CLR.(Citation: Microsoft Profiling Mar 20
>17)(Citation: Microsoft COR_PROFILER Feb 2013)  The COR_PROF>17)(Citation: Microsoft COR_PROFILER Feb 2013)  The COR_PROF
>ILER environment variable can be set at various scopes (syst>ILER environment variable can be set at various scopes (syst
>em, user, or process) resulting in different levels of influ>em, user, or process) resulting in different levels of influ
>ence. System and user-wide environment variable scopes are s>ence. System and user-wide environment variable scopes are s
>pecified in the Registry, where a [Component Object Model](h>pecified in the Registry, where a [Component Object Model](h
>ttps://attack.mitre.org/techniques/T1559/001) (COM) object c>ttps://attack.mitre.org/techniques/T1559/001) (COM) object c
>an be registered as a profiler DLL. A process scope COR_PROF>an be registered as a profiler DLL. A process scope COR_PROF
>ILER can also be created in-memory without modifying the Reg>ILER can also be created in-memory without modifying the Reg
>istry. Starting with .NET Framework 4, the profiling DLL doe>istry. Starting with .NET Framework 4, the profiling DLL doe
>s not need to be registered as long as the location of the D>s not need to be registered as long as the location of the D
>LL is specified in the COR_PROFILER_PATH environment variabl>LL is specified in the COR_PROFILER_PATH environment variabl
>e.(Citation: Microsoft COR_PROFILER Feb 2013)  Adversaries m>e.(Citation: Microsoft COR_PROFILER Feb 2013)  Adversaries m
>ay abuse COR_PROFILER to establish persistence that executes>ay abuse COR_PROFILER to establish persistence that executes
> a malicious DLL in the context of all .NET processes every > a malicious DLL in the context of all .NET processes every 
>time the CLR is invoked. The COR_PROFILER can also be used t>time the CLR is invoked. The COR_PROFILER can also be used t
>o elevate privileges (ex: [Bypass User Access Control](https>o elevate privileges (ex: [Bypass User Account Control](http
>://attack.mitre.org/techniques/T1548/002)) if the victim .NE>s://attack.mitre.org/techniques/T1548/002)) if the victim .N
>T process executes at a higher permission level, as well as >ET process executes at a higher permission level, as well as
>to hook and [Impair Defenses](https://attack.mitre.org/techn> to hook and [Impair Defenses](https://attack.mitre.org/tech
>iques/T1562) provided by .NET processes.(Citation: RedCanary>niques/T1562) provided by .NET processes.(Citation: RedCanar
> Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May>y Mockingbird May 2020)(Citation: Red Canary COR_PROFILER Ma
> 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: Git>y 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: Gi
>Hub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May>tHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers Ma
> 2017)>y 2017)
", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1024: Restrict Registry Permissions", "M1038: Execution Prevention" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-13 19:41:37.908000+00:00", "modified": "2020-10-17 15:15:27.807000+00:00", "name": "DLL Side-Loading", "description": "Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.\n\nPrograms may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: About Side by Side Assemblies) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable by replacing the legitimate DLL with a malicious one. (Citation: FireEye DLL Side-Loading)\n\nAdversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1574/002", "external_id": "T1574.002" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/641.html", "external_id": "CAPEC-641" }, { "source_name": "About Side by Side Assemblies", "description": "Microsoft. (2018, May 31). About Side-by-Side Assemblies. Retrieved March 13, 2020.", "url": "https://docs.microsoft.com/en-us/windows/win32/sbscs/about-side-by-side-assemblies-" }, { "source_name": "FireEye DLL Side-Loading", "description": "Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020.", "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Loaded DLLs", "Process monitoring", "Process use of network" ], "x_mitre_defense_bypassed": [ "Anti-virus", "Application control" ], "x_mitre_detection": "Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-17 15:15:27.807000+00:00\", \"old_value\": \"2020-06-20 22:05:42.513000+00:00\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/641.html\", \"old_value\": \"https://capec.mitre.org/data/definitions/capec.html\"}, \"root['external_references'][1]['external_id']\": {\"new_value\": \"CAPEC-641\", \"old_value\": \"CAPEC-capec\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1022: Restrict File and Directory Permissions", "M1047: Audit", "M1051: Update Software" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-16 15:23:30.896000+00:00", "modified": "2020-09-16 16:48:09.391000+00:00", "name": "Dylib Hijacking", "description": "Adversaries may execute their own malicious payloads by hijacking ambiguous paths used to load libraries. Adversaries may plant trojan dynamic libraries, in a directory that will be searched by the operating system before the legitimate library specified by the victim program, so that their malicious library will be loaded into the victim program instead. MacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths.\n\nA common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. (Citation: Writing Bad Malware for OSX) (Citation: Malware Persistence on OS X)\n\nIf the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1574/004", "external_id": "T1574.004" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/471.html", "external_id": "CAPEC-471" }, { "source_name": "Writing Bad Malware for OSX", "description": "Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.", "url": "https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf" }, { "source_name": "Malware Persistence on OS X", "description": "Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.", "url": "https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Process monitoring", "File monitoring" ], "x_mitre_defense_bypassed": [ "Application control" ], "x_mitre_detection": "Objective-See's Dylib Hijacking Scanner can be used to detect potential cases of dylib hijacking. Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process. ", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "macOS" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 16:48:09.391000+00:00\", \"old_value\": \"2020-06-20 22:06:47.115000+00:00\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/471.html\", \"old_value\": \"https://capec.mitre.org/data/definitions/CAPEC.html\"}, \"root['external_references'][1]['external_id']\": {\"new_value\": \"CAPEC-471\", \"old_value\": \"CAPEC-CAPEC\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1022: Restrict File and Directory Permissions" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--70d81154-b187-45f9-8ec5-295d01255979", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-13 11:12:18.558000+00:00", "modified": "2020-03-26 19:20:23.030000+00:00", "name": "Executable Installer File Permissions Weakness", "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1574/005", "external_id": "T1574.005" }, { "source_name": "mozilla_sec_adv_2012", "description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/" }, { "source_name": "Executable Installers are Vulnerable", "description": "Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.", "url": "https://seclists.org/fulldisclosure/2015/Dec/34" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Travis Smith, Tripwire", "Stefan Kanthak" ], "x_mitre_data_sources": [ "Process command-line parameters", "File monitoring" ], "x_mitre_detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.", "x_mitre_effective_permissions": [ "Administrator", "User", "SYSTEM" ], "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['description']\": {\"new_value\": \"Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\\n\\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\\n\\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.\", \"old_value\": \"Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\\n\\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\\n\\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.\", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\\n \\n-Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.\\n+Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.\"}}}", "previous_version": "1.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may execute their own malicious payloads by hijat1Adversaries may execute their own malicious payloads by hija
>cking the binaries used by an installer. These processes may>cking the binaries used by an installer. These processes may
> automatically execute specific binaries as part of their fu> automatically execute specific binaries as part of their fu
>nctionality or to perform other actions. If the permissions >nctionality or to perform other actions. If the permissions 
>on the file system directory containing a target binary, or >on the file system directory containing a target binary, or 
>permissions on the binary itself, are improperly set, then t>permissions on the binary itself, are improperly set, then t
>he target binary may be overwritten with another binary usin>he target binary may be overwritten with another binary usin
>g user-level permissions and executed by the original proces>g user-level permissions and executed by the original proces
>s. If the original process and thread are running under a hi>s. If the original process and thread are running under a hi
>gher permissions level, then the replaced binary will also e>gher permissions level, then the replaced binary will also e
>xecute under higher-level permissions, which could include S>xecute under higher-level permissions, which could include S
>YSTEM.  Another variation of this technique can be performed>YSTEM.  Another variation of this technique can be performed
> by taking advantage of a weakness that is common in executa> by taking advantage of a weakness that is common in executa
>ble, self-extracting installers. During the installation pro>ble, self-extracting installers. During the installation pro
>cess, it is common for installers to use a subdirectory with>cess, it is common for installers to use a subdirectory with
>in the <code>%TEMP%</code> directory to unpack binaries such>in the <code>%TEMP%</code> directory to unpack binaries such
> as DLLs, EXEs, or other payloads. When installers create su> as DLLs, EXEs, or other payloads. When installers create su
>bdirectories and files they often do not set appropriate per>bdirectories and files they often do not set appropriate per
>missions to restrict write access, which allows for executio>missions to restrict write access, which allows for executio
>n of untrusted code placed in the subdirectories or overwrit>n of untrusted code placed in the subdirectories or overwrit
>ing of binaries used in the installation process. This behav>ing of binaries used in the installation process. This behav
>ior is related to and may take advantage of [DLL Search Orde>ior is related to and may take advantage of [DLL Search Orde
>r Hijacking](https://attack.mitre.org/techniques/T1574/001).>r Hijacking](https://attack.mitre.org/techniques/T1574/001).
>  Adversaries may use this technique to replace legitimate b>  Adversaries may use this technique to replace legitimate b
>inaries with malicious ones as a means of executing code at >inaries with malicious ones as a means of executing code at 
>a higher permissions level. Some installers may also require>a higher permissions level. Some installers may also require
> elevated privileges that will result in privilege escalatio> elevated privileges that will result in privilege escalatio
>n when executing adversary controlled code. This behavior is>n when executing adversary controlled code. This behavior is
> related to [Bypass User Access Control](https://attack.mitr> related to [Bypass User Account Control](https://attack.mit
>e.org/techniques/T1548/002). Several examples of this weakne>re.org/techniques/T1548/002). Several examples of this weakn
>ss in existing common installers have been reported to softw>ess in existing common installers have been reported to soft
>are vendors.(Citation: mozilla_sec_adv_2012)  (Citation: Exe>ware vendors.(Citation: mozilla_sec_adv_2012)  (Citation: Ex
>cutable Installers are Vulnerable) If the executing process >ecutable Installers are Vulnerable) If the executing process
>is set to run at a specific time or during a certain event (> is set to run at a specific time or during a certain event 
>e.g., system bootup) then this technique can also be used fo>(e.g., system bootup) then this technique can also be used f
>r persistence.>or persistence.
", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1047: Audit", "M1052: User Account Control" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-13 14:10:43.424000+00:00", "modified": "2020-09-16 16:56:34.583000+00:00", "name": "Path Interception by PATH Environment Variable", "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\n\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1574/007", "external_id": "T1574.007" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/13.html", "external_id": "CAPEC-13" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/38.html", "external_id": "CAPEC-38" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Stefan Kanthak" ], "x_mitre_data_sources": [ "Process monitoring", "File monitoring" ], "x_mitre_defense_bypassed": [ "Application control" ], "x_mitre_detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 16:56:34.583000+00:00\", \"old_value\": \"2020-06-20 22:02:40.983000+00:00\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/13.html\", \"old_value\": \"https://capec.mitre.org/data/definitions/capec.html\"}, \"root['external_references'][1]['external_id']\": {\"new_value\": \"CAPEC-13\", \"old_value\": \"CAPEC-capec\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"capec\", \"url\": \"https://capec.mitre.org/data/definitions/38.html\", \"external_id\": \"CAPEC-38\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1022: Restrict File and Directory Permissions", "M1038: Execution Prevention", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-13 17:48:58.999000+00:00", "modified": "2020-09-17 19:03:35.217000+00:00", "name": "Path Interception by Search Order Hijacking", "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1574/008", "external_id": "T1574.008" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/159.html", "external_id": "CAPEC-159" }, { "source_name": "Microsoft CreateProcess", "description": "Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.", "url": "http://msdn.microsoft.com/en-us/library/ms682425" }, { "source_name": "Windows NT Command Shell", "description": "Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved December 5, 2014.", "url": "https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120" }, { "source_name": "Microsoft WinExec", "description": "Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.", "url": "http://msdn.microsoft.com/en-us/library/ms687393" }, { "source_name": "Microsoft Environment Property", "description": "Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016.", "url": "https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Stefan Kanthak" ], "x_mitre_data_sources": [ "Process monitoring", "File monitoring" ], "x_mitre_detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n", "x_mitre_effective_permissions": [ "Administrator", "SYSTEM", "User" ], "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "User", "SYSTEM" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-17 19:03:35.217000+00:00\", \"old_value\": \"2020-03-26 20:03:27.496000+00:00\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/159.html\", \"old_value\": \"https://capec.mitre.org/data/definitions/CAPEC.html\"}, \"root['external_references'][1]['external_id']\": {\"new_value\": \"CAPEC-159\", \"old_value\": \"CAPEC-CAPEC\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1022: Restrict File and Directory Permissions", "M1038: Execution Prevention", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-12 20:43:53.998000+00:00", "modified": "2020-09-16 19:10:04.262000+00:00", "name": "Services File Permissions Weakness", "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1574/010", "external_id": "T1574.010" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/17.html", "external_id": "CAPEC-17" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Travis Smith, Tripwire", "Stefan Kanthak" ], "x_mitre_data_sources": [ "Process command-line parameters", "Services", "File monitoring" ], "x_mitre_detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. ", "x_mitre_effective_permissions": [ "SYSTEM", "Administrator", "User" ], "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:10:04.262000+00:00\", \"old_value\": \"2020-03-26 19:37:28.912000+00:00\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/17.html\", \"old_value\": \"https://capec.mitre.org/data/definitions/CAPEC.html\"}, \"root['external_references'][1]['external_id']\": {\"new_value\": \"CAPEC-17\", \"old_value\": \"CAPEC-CAPEC\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1047: Audit", "M1052: User Account Control" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-03-13 11:42:14.444000+00:00", "modified": "2020-09-16 19:07:48.590000+00:00", "name": "Services Registry Permissions Weakness", "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: Registry Key Security)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter Registry keys associated with service failure parameters (such as FailureCommand) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1574/011", "external_id": "T1574.011" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/478.html", "external_id": "CAPEC-478" }, { "source_name": "Registry Key Security", "description": "Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.", "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN" }, { "source_name": "Kansa Service related collectors", "description": "Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.", "url": "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html" }, { "source_name": "Tweet Registry Perms Weakness", "description": "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018.", "url": "https://twitter.com/r0wdy_/status/936365549553991680" }, { "source_name": "Autoruns for Windows", "description": "Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.", "url": "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Travis Smith, Tripwire", "Matthew Demaske, Adaptforward" ], "x_mitre_data_sources": [ "Windows Registry", "Services", "Process command-line parameters" ], "x_mitre_defense_bypassed": [ "Application control" ], "x_mitre_detection": "Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.", "x_mitre_effective_permissions": [ "SYSTEM" ], "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:07:48.590000+00:00\", \"old_value\": \"2020-06-20 22:01:09.906000+00:00\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://capec.mitre.org/data/definitions/478.html\", \"old_value\": \"https://capec.mitre.org/data/definitions/CAPEC.html\"}, \"root['external_references'][1]['external_id']\": {\"new_value\": \"CAPEC-478\", \"old_value\": \"CAPEC-CAPEC\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1024: Restrict Registry Permissions" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-21 20:22:13.470000+00:00", "modified": "2020-10-19 16:31:35.249000+00:00", "name": "Impair Defenses", "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1562", "external_id": "T1562" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "GCP audit logs", "Azure activity logs", "AWS CloudTrail logs", "Anti-virus", "Services", "API monitoring", "Environment variable", "Authentication logs", "File monitoring", "Process command-line parameters", "Process monitoring", "Windows Registry" ], "x_mitre_defense_bypassed": [ "Anti-virus", "Signature-based detection", "Host intrusion prevention systems", "File monitoring", "Digital Certificate Validation", "Host forensic analysis", "Log analysis", "Firewall" ], "x_mitre_detection": "Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log events may be suspicious.\n\nMonitor environment variables and APIs that can be leveraged to disable security measures.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "Administrator", "User" ], "x_mitre_platforms": [ "Linux", "Windows", "macOS", "AWS", "GCP", "Azure" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-19 16:31:35.249000+00:00\", \"old_value\": \"2020-07-09 14:43:42.718000+00:00\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1022: Restrict File and Directory Permissions", "M1024: Restrict Registry Permissions" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-06-24 16:55:46.243000+00:00", "modified": "2020-09-14 20:02:24.426000+00:00", "name": "Disable or Modify Cloud Firewall", "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1562/007", "external_id": "T1562.007" }, { "source_name": "Expel IO Evil in AWS", "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.", "url": "https://expel.io/blog/finding-evil-in-aws/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Expel" ], "x_mitre_data_sources": [ "Stackdriver logs", "GCP audit logs", "Azure activity logs", "AWS CloudTrail logs" ], "x_mitre_detection": "Monitor cloud logs for modification or creation of new security groups or firewall rules.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "AWS", "GCP", "Azure" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-14 20:02:24.426000+00:00\", \"old_value\": \"2020-07-07 13:49:05.345000+00:00\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.\", \"old_value\": \"Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:30:55.892000+00:00", "modified": "2020-10-16 18:09:49.074000+00:00", "name": "Indicator Removal on Host", "description": "Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/*.\n\nThese actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1070", "external_id": "T1070" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/93.html", "external_id": "CAPEC-93" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Ed Williams, Trustwave, SpiderLabs" ], "x_mitre_data_sources": [ "File monitoring", "Process monitoring", "Process command-line parameters", "API monitoring", "Windows event logs" ], "x_mitre_defense_bypassed": [ "Log analysis", "Host intrusion prevention systems", "Anti-virus" ], "x_mitre_detection": "File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system may require different detection mechanisms.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-16 18:09:49.074000+00:00\", \"old_value\": \"2020-03-29 21:43:29.196000+00:00\"}}}", "previous_version": "1.1", "changelog_mitigations": { "shared": [ "M1022: Restrict File and Directory Permissions", "M1029: Remote Data Storage", "M1041: Encrypt Sensitive Information", "T1070: Indicator Removal on Host Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--a2029942-0a85-4947-b23c-ca434698171d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-11 18:58:45.908000+00:00", "modified": "2020-03-24 20:56:14.853000+00:00", "name": "GUI Input Capture", "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015). ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1056/002", "external_id": "T1056.002" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/659.html", "external_id": "CAPEC-659" }, { "source_name": "OSX Malware Exploits MacKeeper", "description": "Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017.", "url": "https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html" }, { "source_name": "LogRhythm Do You Trust Oct 2014", "description": "Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018.", "url": "https://logrhythm.com/blog/do-you-trust-your-computer/" }, { "source_name": "OSX Keydnap malware", "description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.", "url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/" }, { "source_name": "Enigma Phishing for Credentials Jan 2015", "description": "Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018.", "url": "https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Matthew Molyett, @s1air, Cisco Talos" ], "x_mitre_data_sources": [ "PowerShell logs", "User interface", "Process command-line parameters", "Process monitoring" ], "x_mitre_detection": "Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials.\n\nInspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources.", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "macOS", "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['description']\": {\"new_value\": \"Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\\n\\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015). \", \"old_value\": \"Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)).\\n\\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015). \", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)).\\n+Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\\n \\n Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015). \"}}}", "previous_version": "1.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may mimic common operating system GUI componentst1Adversaries may mimic common operating system GUI components
> to prompt users for credentials with a seemingly legitimate> to prompt users for credentials with a seemingly legitimate
> prompt. When programs are executed that need additional pri> prompt. When programs are executed that need additional pri
>vileges than are present in the current user context, it is >vileges than are present in the current user context, it is 
>common for the operating system to prompt the user for prope>common for the operating system to prompt the user for prope
>r credentials to authorize the elevated privileges for the t>r credentials to authorize the elevated privileges for the t
>ask (ex: [Bypass User Access Control](https://attack.mitre.o>ask (ex: [Bypass User Account Control](https://attack.mitre.
>rg/techniques/T1548/002)).  Adversaries may mimic this funct>org/techniques/T1548/002)).  Adversaries may mimic this func
>ionality to prompt users for credentials with a seemingly le>tionality to prompt users for credentials with a seemingly l
>gitimate prompt for a number of reasons that mimic normal us>egitimate prompt for a number of reasons that mimic normal u
>age, such as a fake installer requiring additional access or>sage, such as a fake installer requiring additional access o
> a fake malware removal suite.(Citation: OSX Malware Exploit>r a fake malware removal suite.(Citation: OSX Malware Exploi
>s MacKeeper) This type of prompt can be used to collect cred>ts MacKeeper) This type of prompt can be used to collect cre
>entials via various languages such as AppleScript(Citation: >dentials via various languages such as AppleScript(Citation:
>LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malwa> LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malw
>re) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014>are) and PowerShell(Citation: LogRhythm Do You Trust Oct 201
>)(Citation: Enigma Phishing for Credentials Jan 2015). >4)(Citation: Enigma Phishing for Credentials Jan 2015). 
", "changelog_mitigations": { "shared": [ "M1017: User Training" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-09-04 19:26:12.441000+00:00", "modified": "2020-09-17 18:26:41.796000+00:00", "name": "Internal Spearphishing", "description": "Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)\n\nAdversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces.\n\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1534", "external_id": "T1534" }, { "source_name": "Trend Micro When Phishing Starts from the Inside 2017", "description": "Chris Taylor. (2017, October 5). When Phishing Starts from the Inside. Retrieved October 8, 2019.", "url": "https://blog.trendmicro.com/phishing-starts-inside/" }, { "source_name": "THE FINANCIAL TIMES LTD 2019.", "description": "THE FINANCIAL TIMES. (2019, September 2). A sobering day. Retrieved October 8, 2019.", "url": "https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Tim MalcomVetter", "Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)" ], "x_mitre_data_sources": [ "SSL/TLS inspection", "DNS records", "Anti-virus", "Web proxy", "File monitoring", "Mail server", "Office 365 trace logs" ], "x_mitre_detection": "Network intrusion detection systems and email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.(Citation: Trend Micro When Phishing Starts from the Inside 2017)", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Windows", "macOS", "Linux", "Office 365", "SaaS" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-17 18:26:41.796000+00:00\", \"old_value\": \"2020-03-31 22:13:33.718000+00:00\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6\", \"old_value\": \" https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6 \"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-02-11 19:05:02.399000+00:00", "modified": "2020-08-26 14:16:48.125000+00:00", "name": "Domain Controller Authentication", "description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1556/001", "external_id": "T1556.001" }, { "source_name": "Dell Skeleton", "description": "Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.", "url": "https://www.secureworks.com/research/skeleton-key-malware-analysis" }, { "source_name": "TechNet Audit Policy", "description": "Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.", "url": "https://technet.microsoft.com/en-us/library/dn487457.aspx" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Authentication logs", "API monitoring", "DLL monitoring" ], "x_mitre_detection": "Monitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton)\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g. a user has an active login session but has not entered the building or does not have VPN access). ", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-26 14:16:48.125000+00:00\", \"old_value\": \"2020-03-25 20:51:30.829000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \\n\\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user\\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)\", \"old_value\": \"Adversaries may patch the authentication process on a domain control to bypass the typical authentication mechanisms and enable access to accounts. \\n\\nMalware may be used to inject false credentials into the authentication process on a domain control with the intent of creating a backdoor used to access any user\\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may patch the authentication process on a domain control to bypass the typical authentication mechanisms and enable access to accounts. \\n+Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \\n \\n-Malware may be used to inject false credentials into the authentication process on a domain control with the intent of creating a backdoor used to access any user\\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)\\n+Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user\\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)\"}}}", "previous_version": "1.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may patch the authentication process on a domaint1Adversaries may patch the authentication process on a domain
> control to bypass the typical authentication mechanisms and> controller to bypass the typical authentication mechanisms 
> enable access to accounts.   Malware may be used to inject >and enable access to accounts.   Malware may be used to inje
>false credentials into the authentication process on a domai>ct false credentials into the authentication process on a do
>n control with the intent of creating a backdoor used to acc>main controller with the intent of creating a backdoor used 
>ess any user\u2019s account and/or credentials (ex: [Skeleton Key>to access any user\u2019s account and/or credentials (ex: [Skelet
>](https://attack.mitre.org/software/S0007)). Skeleton key wo>on Key](https://attack.mitre.org/software/S0007)). Skeleton 
>rks through a patch on an enterprise domain controller authe>key works through a patch on an enterprise domain controller
>ntication process (LSASS) with credentials that adversaries > authentication process (LSASS) with credentials that advers
>may use to bypass the standard authentication system. Once p>aries may use to bypass the standard authentication system. 
>atched, an adversary can use the injected password to succes>Once patched, an adversary can use the injected password to 
>sfully authenticate as any domain user account (until the th>successfully authenticate as any domain user account (until 
>e skeleton key is erased from memory by a reboot of the doma>the the skeleton key is erased from memory by a reboot of th
>in controller). Authenticated access may enable unfettered a>e domain controller). Authenticated access may enable unfett
>ccess to hosts and/or resources within single-factor authent>ered access to hosts and/or resources within single-factor a
>ication environments.(Citation: Dell Skeleton)>uthentication environments.(Citation: Dell Skeleton)
", "changelog_mitigations": { "shared": [ "M1025: Privileged Process Integrity", "M1026: Privileged Account Management", "M1032: Multi-factor Authentication" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-08-30 18:03:05.864000+00:00", "modified": "2020-09-14 19:55:23.798000+00:00", "name": "Modify Cloud Compute Infrastructure", "description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1578", "external_id": "T1578" }, { "source_name": "Mandiant M-Trends 2020", "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Stackdriver logs", "GCP audit logs", "Azure activity logs", "AWS CloudTrail logs" ], "x_mitre_detection": "Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time or the mount of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "AWS", "GCP", "Azure" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-14 19:55:23.798000+00:00\", \"old_value\": \"2020-06-19 14:46:00.117000+00:00\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\", \"old_value\": \"FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-14 14:45:15.978000+00:00", "modified": "2020-09-14 19:48:08.299000+00:00", "name": "Create Cloud Instance", "description": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\n\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1578/002", "external_id": "T1578.002" }, { "source_name": "Mandiant M-Trends 2020", "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020" }, { "source_name": "AWS CloudTrail Search", "description": "Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020.", "url": "https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/" }, { "source_name": "Azure Activity Logs", "description": "Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020.", "url": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs" }, { "source_name": "Cloud Audit Logs", "description": "Google. (n.d.). Audit Logs. Retrieved June 1, 2020.", "url": "https://cloud.google.com/logging/docs/audit#admin-activity" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "GCP audit logs", "Stackdriver logs", "Azure activity logs", "AWS CloudTrail logs" ], "x_mitre_detection": "The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.(Citation: Cloud Audit Logs)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "AWS", "GCP", "Azure" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-14 19:48:08.299000+00:00\", \"old_value\": \"2020-06-18 11:45:36.417000+00:00\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\", \"old_value\": \"FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-06-09 15:33:13.563000+00:00", "modified": "2020-09-14 19:48:08.293000+00:00", "name": "Create Snapshot", "description": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1536) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.\n\nAn adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1578/001", "external_id": "T1578.001" }, { "source_name": "Mandiant M-Trends 2020", "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020" }, { "source_name": "AWS Cloud Trail Backup API", "description": "Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail. Retrieved April 27, 2020.", "url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html" }, { "source_name": "Azure - Monitor Logs", "description": "Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor. Retrieved May 1, 2020.", "url": "https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor" }, { "source_name": "Cloud Audit Logs", "description": "Google. (n.d.). Audit Logs. Retrieved June 1, 2020.", "url": "https://cloud.google.com/logging/docs/audit#admin-activity" }, { "source_name": "GCP - Creating and Starting a VM", "description": "Google. (2020, April 23). Creating and Starting a VM instance. Retrieved May 1, 2020.", "url": "https://cloud.google.com/compute/docs/instances/create-start-instance#api_2" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Praetorian" ], "x_mitre_data_sources": [ "GCP audit logs", "Stackdriver logs", "Azure activity logs", "AWS CloudTrail logs" ], "x_mitre_detection": "The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.\n\nIn AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.(Citation: AWS Cloud Trail Backup API).\n\nIn Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)\n\nGoogle's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the \"sourceSnapshot\": parameter pointed to \"global/snapshots/[BOOT_SNAPSHOT_NAME].(Citation: GCP - Creating and Starting a VM)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "AWS", "GCP", "Azure" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-14 19:48:08.293000+00:00\", \"old_value\": \"2020-06-19 14:45:59.618000+00:00\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\", \"old_value\": \"FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-06-16 17:23:06.508000+00:00", "modified": "2020-09-14 19:55:23.113000+00:00", "name": "Delete Cloud Instance", "description": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.\n\nAn adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1578/003", "external_id": "T1578.003" }, { "source_name": "Mandiant M-Trends 2020", "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020" }, { "source_name": "AWS CloudTrail Search", "description": "Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020.", "url": "https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/" }, { "source_name": "Azure Activity Logs", "description": "Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020.", "url": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs" }, { "source_name": "Cloud Audit Logs", "description": "Google. (n.d.). Audit Logs. Retrieved June 1, 2020.", "url": "https://cloud.google.com/logging/docs/audit#admin-activity" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "GCP audit logs", "Stackdriver logs", "Azure activity logs", "AWS CloudTrail logs" ], "x_mitre_detection": "The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.(Citation: Cloud Audit Logs)", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "AWS", "GCP", "Azure" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-14 19:55:23.113000+00:00\", \"old_value\": \"2020-06-17 19:53:14.784000+00:00\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\", \"old_value\": \"FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-04-17 20:23:15.105000+00:00", "modified": "2020-09-16 15:58:18.788000+00:00", "name": "Network Denial of Service", "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nA Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nFor DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1498", "external_id": "T1498" }, { "source_name": "FireEye OpPoisonedHandover February 2016", "description": "Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong\u2019s Pro-Democracy Movement. Retrieved April 18, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html" }, { "source_name": "FSISAC FraudNetDoS September 2012", "description": "FS-ISAC. (2012, September 17). Fraud Alert \u2013 Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved April 18, 2019.", "url": "https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf" }, { "source_name": "Symantec DDoS October 2014", "description": "Wueest, C.. (2014, October 21). The continued rise of DDoS attacks. Retrieved April 24, 2019.", "url": "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf" }, { "source_name": "Cisco DoSdetectNetflow", "description": "Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.", "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Sensor health and status", "Network protocol analysis", "Netflow/Enclave netflow", "Network intrusion detection system", "Network device logs" ], "x_mitre_detection": "Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an Network DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", "x_mitre_impact_type": [ "Availability" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure AD", "SaaS", "Azure", "Office 365" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 15:58:18.788000+00:00\", \"old_value\": \"2020-03-29 01:11:28.903000+00:00\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1037: Filter Network Traffic", "T1498: Network Denial of Service Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:30:32.662000+00:00", "modified": "2020-09-16 19:24:20.601000+00:00", "name": "Obfuscated Files or Information", "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1027", "external_id": "T1027" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/267.html", "external_id": "CAPEC-267" }, { "source_name": "Volexity PowerDuke November 2016", "description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.", "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" }, { "source_name": "Linux/Cdorked.A We Live Security Analysis", "description": "Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.", "url": "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/" }, { "source_name": "Carbon Black Obfuscation Sept 2016", "description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.", "url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/" }, { "source_name": "FireEye Obfuscation June 2017", "description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" }, { "source_name": "FireEye Revoke-Obfuscation July 2017", "description": "Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018.", "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf" }, { "source_name": "PaloAlto EncodedCommand March 2017", "description": "White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/" }, { "source_name": "GitHub Revoke-Obfuscation", "description": "Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018.", "url": "https://github.com/danielbohannon/Revoke-Obfuscation" }, { "source_name": "GitHub Office-Crackros Aug 2016", "description": "Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018.", "url": "https://github.com/itsreallynick/office-crackros" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Red Canary", "Christiaan Beek, @ChristiaanBeek" ], "x_mitre_data_sources": [ "Network protocol analysis", "Process use of network", "File monitoring", "Malware reverse engineering", "Binary file metadata", "Process command-line parameters", "Environment variable", "Process monitoring", "Windows event logs", "Network intrusion detection system", "Email gateway", "SSL/TLS inspection" ], "x_mitre_defense_bypassed": [ "Host forensic analysis", "Signature-based detection", "Host intrusion prevention systems", "Application control", "Log analysis", "Application control by file name or path" ], "x_mitre_detection": "Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). \n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016) \n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection. \n\nThe first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network. ", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:24:20.601000+00:00\", \"old_value\": \"2020-06-20 22:14:08.350000+00:00\"}}}", "previous_version": "1.1", "changelog_mitigations": { "shared": [ "M1049: Antivirus/Antimalware" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:30:46.977000+00:00", "modified": "2020-10-14 15:20:01.069000+00:00", "name": "Scheduled Task/Job", "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1053", "external_id": "T1053" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/557.html", "external_id": "CAPEC-557" }, { "source_name": "TechNet Task Scheduler Security", "description": "Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016.", "url": "https://technet.microsoft.com/en-us/library/cc785125.aspx" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Prashant Verma, Paladion", "Leo Loobeek, @leoloobeek", "Travis Smith, Tripwire", "Alain Homewood, Insomnia Security" ], "x_mitre_data_sources": [ "File monitoring", "Process monitoring", "Process command-line parameters", "Windows event logs" ], "x_mitre_detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", "x_mitre_effective_permissions": [ "SYSTEM", "Administrator", "User" ], "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "Administrator", "SYSTEM", "User" ], "x_mitre_platforms": [ "Windows", "Linux", "macOS" ], "x_mitre_remote_support": true, "x_mitre_version": "2.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-14 15:20:01.069000+00:00\", \"old_value\": \"2020-03-24 13:45:04.006000+00:00\"}}}", "previous_version": "2.0", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1026: Privileged Account Management", "M1028: Operating System Configuration", "M1047: Audit", "T1053: Scheduled Task Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--d456de47-a16f-4e46-8980-e67478a12dcb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-28 17:52:07.296000+00:00", "modified": "2020-09-16 19:34:19.961000+00:00", "name": "Server Software Component", "description": "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1505", "external_id": "T1505" }, { "source_name": "US-CERT Alert TA15-314A Web Shells", "description": "US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.", "url": "https://www.us-cert.gov/ncas/alerts/TA15-314A" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Netflow/Enclave netflow", "Process monitoring", "File monitoring", "Application logs" ], "x_mitre_detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.\n\nProcess monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) ", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "Administrator", "SYSTEM", "root" ], "x_mitre_platforms": [ "Windows", "Linux", "macOS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:34:19.961000+00:00\", \"old_value\": \"2020-04-17 17:47:57.075000+00:00\"}}}", "previous_version": "1.1", "changelog_mitigations": { "shared": [ "M1026: Privileged Account Management", "M1045: Code Signing", "M1047: Audit" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--457c7820-d331-465a-915e-42f85500ccc4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18 17:59:24.739000+00:00", "modified": "2020-10-21 18:37:15.275000+00:00", "name": "Signed Binary Proxy Execution", "description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1218", "external_id": "T1218" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Nishan Maharjan, @loki248", "Hans Christoffer Gaardl\u00f8s", "Praetorian" ], "x_mitre_data_sources": [ "API monitoring", "File monitoring", "Binary file metadata", "Process use of network", "Windows Registry", "Loaded DLLs", "DLL monitoring", "Process monitoring", "Process command-line parameters" ], "x_mitre_defense_bypassed": [ "Anti-virus", "Application control", "Digital Certificate Validation" ], "x_mitre_detection": "Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\n\nMonitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User", "Administrator" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "2.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 18:37:15.275000+00:00\", \"old_value\": \"2020-06-20 22:39:02.045000+00:00\"}}}", "previous_version": "2.1", "changelog_mitigations": { "shared": [ "M1026: Privileged Account Management", "M1038: Execution Prevention", "M1042: Disable or Remove Feature or Program", "M1050: Exploit Protection" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-23 18:27:30.656000+00:00", "modified": "2020-06-20 22:34:03.247000+00:00", "name": "CMSTP", "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / \u201dSquiblydoo\u201d, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\n\nCMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1218/003", "external_id": "T1218.003" }, { "source_name": "Microsoft Connection Manager Oct 2009", "description": "Microsoft. (2009, October 8). How Connection Manager Works. Retrieved April 11, 2018.", "url": "https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10)" }, { "source_name": "Twitter CMSTP Usage Jan 2018", "description": "Carr, N. (2018, January 31). Here is some early bad cmstp.exe... Retrieved April 11, 2018.", "url": "https://twitter.com/ItsReallyNick/status/958789644165894146" }, { "source_name": "MSitPros CMSTP Aug 2017", "description": "Moe, O. (2017, August 15). Research on CMSTP.exe. Retrieved April 11, 2018.", "url": "https://msitpros.com/?p=3960" }, { "source_name": "Twitter CMSTP Jan 2018", "description": "Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved April 11, 2018.", "url": "https://twitter.com/NickTyrer/status/958450014111633408" }, { "source_name": "GitHub Ultimate AppLocker Bypass List", "description": "Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018.", "url": "https://github.com/api0cradle/UltimateAppLockerByPassList" }, { "source_name": "Endurant CMSTP July 2018", "description": "Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved August 6, 2018.", "url": "http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Nik Seetharaman, Palantir", "Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank" ], "x_mitre_data_sources": [ "Windows event logs", "Process use of network", "Process command-line parameters", "Process monitoring" ], "x_mitre_defense_bypassed": [ "Anti-virus", "Application control" ], "x_mitre_detection": "Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\n\nSysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\n\n* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.\n* To detect [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['description']\": {\"new_value\": \"Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\\n\\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / \\u201dSquiblydoo\\u201d, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\\n\\nCMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)\", \"old_value\": \"Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\\n\\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / \\u201dSquiblydoo\\u201d, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\\n\\nCMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)\", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / \\u201dSquiblydoo\\u201d, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\\n \\n-CMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)\\n+CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\\n\\nSysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\\n\\n* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.\\n* To detect [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).\", \"old_value\": \"Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\\n\\nSysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\\n\\n* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.\\n* To detect [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).\", \"diff\": \"--- \\n+++ \\n@@ -3,4 +3,4 @@\\n Sysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\\n \\n * To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.\\n-* To detect [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).\\n+* To detect [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).\"}}}", "previous_version": "1.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may abuse CMSTP to proxy execution of malicious t1Adversaries may abuse CMSTP to proxy execution of malicious 
>code. The Microsoft Connection Manager Profile Installer (CM>code. The Microsoft Connection Manager Profile Installer (CM
>STP.exe) is a command-line program used to install Connectio>STP.exe) is a command-line program used to install Connectio
>n Manager service profiles. (Citation: Microsoft Connection >n Manager service profiles. (Citation: Microsoft Connection 
>Manager Oct 2009) CMSTP.exe accepts an installation informat>Manager Oct 2009) CMSTP.exe accepts an installation informat
>ion file (INF) as a parameter and installs a service profile>ion file (INF) as a parameter and installs a service profile
> leveraged for remote access connections.  Adversaries may s> leveraged for remote access connections.  Adversaries may s
>upply CMSTP.exe with INF files infected with malicious comma>upply CMSTP.exe with INF files infected with malicious comma
>nds. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Re>nds. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Re
>gsvr32](https://attack.mitre.org/techniques/T1218/010) / \u201dSq>gsvr32](https://attack.mitre.org/techniques/T1218/010) / \u201dSq
>uiblydoo\u201d, CMSTP.exe may be abused to load and execute DLLs >uiblydoo\u201d, CMSTP.exe may be abused to load and execute DLLs 
>(Citation: MSitPros CMSTP Aug 2017)  and/or COM scriptlets (>(Citation: MSitPros CMSTP Aug 2017)  and/or COM scriptlets (
>SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018)>SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018)
> (Citation: GitHub Ultimate AppLocker Bypass List) (Citation> (Citation: GitHub Ultimate AppLocker Bypass List) (Citation
>: Endurant CMSTP July 2018) This execution may also bypass A>: Endurant CMSTP July 2018) This execution may also bypass A
>ppLocker and other application control defenses since CMSTP.>ppLocker and other application control defenses since CMSTP.
>exe is a legitimate, signed Microsoft application.  CMSTP.ex>exe is a legitimate, signed Microsoft application.  CMSTP.ex
>e can also be abused to [Bypass User Access Control](https:/>e can also be abused to [Bypass User Account Control](https:
>/attack.mitre.org/techniques/T1548/002) and execute arbitrar>//attack.mitre.org/techniques/T1548/002) and execute arbitra
>y commands from a malicious INF through an auto-elevated COM>ry commands from a malicious INF through an auto-elevated CO
> interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: G>M interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: 
>itHub Ultimate AppLocker Bypass List) (Citation: Endurant CM>GitHub Ultimate AppLocker Bypass List) (Citation: Endurant C
>STP July 2018)>MSTP July 2018)
", "changelog_mitigations": { "shared": [ "M1038: Execution Prevention", "M1042: Disable or Remove Feature or Program" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18 17:59:24.739000+00:00", "modified": "2020-10-13 12:38:32.426000+00:00", "name": "Supply Chain Compromise", "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider Electric USB Malware) \n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1195", "external_id": "T1195" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/437.html", "external_id": "CAPEC-437" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/438.html", "external_id": "CAPEC-438" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/439.html", "external_id": "CAPEC-439" }, { "source_name": "IBM Storwize", "description": "IBM Support. (2017, April 26). Storwize USB Initialization Tool may contain malicious code. Retrieved May 28, 2019.", "url": "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028-_-OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206-_-E" }, { "source_name": "Schneider Electric USB Malware", "description": "Schneider Electric. (2018, August 24). Security Notification \u2013 USB Removable Media Provided With Conext Combox and Conext Battery Monitor. Retrieved May 28, 2019.", "url": "https://www.se.com/ww/en/download/document/SESN-2018-236-01/" }, { "source_name": "Avast CCleaner3 2018", "description": "Avast Threat Intelligence Team. (2018, March 8). New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities. Retrieved March 15, 2018.", "url": "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities" }, { "source_name": "Microsoft Dofoil 2018", "description": "Windows Defender Research. (2018, March 7). Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Retrieved March 20, 2018.", "url": "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/" }, { "source_name": "Command Five SK 2011", "description": "Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved April 6, 2018.", "url": "https://www.commandfive.com/papers/C5_APT_SKHack.pdf" }, { "source_name": "Symantec Elderwood Sept 2012", "description": "O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.", "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf" }, { "source_name": "Trendmicro NPM Compromise", "description": "Trendmicro. (2018, November 29). Hacker Infects Node.js Package to Steal from Bitcoin Wallets. Retrieved April 10, 2019.", "url": "https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Veeral Patel" ], "x_mitre_data_sources": [ "Web proxy", "File monitoring" ], "x_mitre_detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. Perform physical inspection of hardware to look for potential tampering.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-13 12:38:32.426000+00:00\", \"old_value\": \"2020-03-23 12:51:45.574000+00:00\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://www.se.com/ww/en/download/document/SESN-2018-236-01/\", \"old_value\": \"https://www.schneider-electric.com/en/download/document/SESN-2018-236-01/\"}}}", "previous_version": "1.2", "changelog_mitigations": { "shared": [ "M1016: Vulnerability Scanning", "M1051: Update Software", "T1195: Supply Chain Compromise Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--51a14c76-dd3b-440b-9c20-2bf91d25a814", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-01-30 16:18:36.873000+00:00", "modified": "2020-09-16 19:40:44.714000+00:00", "name": "Use Alternate Authentication Material", "description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \n\nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)\n\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system\u2014either in memory or on disk\u2014it may be at risk of being stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.\n", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1550", "external_id": "T1550" }, { "source_name": "NIST Authentication", "description": "NIST. (n.d.). Authentication. Retrieved January 30, 2020.", "url": "https://csrc.nist.gov/glossary/term/authentication" }, { "source_name": "NIST MFA", "description": "NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January 30, 2020.", "url": "https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication" }, { "source_name": "TechNet Audit Policy", "description": "Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.", "url": "https://technet.microsoft.com/en-us/library/dn487457.aspx" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_data_sources": [ "Office 365 audit logs", "OAuth audit logs", "Authentication logs" ], "x_mitre_defense_bypassed": [ "System Access Controls" ], "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Windows", "Office 365", "SaaS" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-16 19:40:44.714000+00:00\", \"old_value\": \"2020-03-24 12:36:24.608000+00:00\"}}}", "previous_version": "1.0", "changelog_mitigations": { "shared": [ "M1018: User Account Management", "M1026: Privileged Account Management" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:00.645000+00:00", "modified": "2020-10-19 16:01:22.724000+00:00", "name": "Valid Accounts", "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1078", "external_id": "T1078" }, { "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/560.html", "external_id": "CAPEC-560" }, { "source_name": "TechNet Credential Theft", "description": "Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.", "url": "https://technet.microsoft.com/en-us/library/dn535501.aspx" }, { "source_name": "TechNet Audit Policy", "description": "Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.", "url": "https://technet.microsoft.com/en-us/library/dn487457.aspx" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Netskope", "Mark Wee", "Praetorian" ], "x_mitre_data_sources": [ "AWS CloudTrail logs", "Stackdriver logs", "Authentication logs", "Process monitoring" ], "x_mitre_defense_bypassed": [ "Firewall", "Host intrusion prevention systems", "Network intrusion detection system", "Application control", "System access controls", "Anti-virus" ], "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.", "x_mitre_effective_permissions": [ "User", "Administrator" ], "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User", "Administrator" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows", "AWS", "GCP", "Azure", "SaaS", "Office 365", "Azure AD" ], "x_mitre_version": "2.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-19 16:01:22.724000+00:00\", \"old_value\": \"2020-06-20 22:44:36.043000+00:00\"}}}", "previous_version": "2.1", "changelog_mitigations": { "shared": [ "M1013: Application Developer Guidance", "M1026: Privileged Account Management", "M1027: Password Policies", "T1078: Valid Accounts Mitigation" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } } ], "revocations": [], "deprecations": [], "deletions": [] }, "software": { "additions": [ { "type": "malware", "id": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-10 15:54:21.805000+00:00", "modified": "2020-10-05 17:54:53.991000+00:00", "name": "Anchor", "description": "[Anchor](https://attack.mitre.org/software/S0504) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://attack.mitre.org/software/S0266) on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0504", "external_id": "S0504" }, { "source_name": "Anchor_DNS", "description": "(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)" }, { "source_name": "Cyberreason Anchor December 2019", "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.", "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" }, { "source_name": "Medium Anchor DNS July 2020", "description": "Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.", "url": "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Anchor", "Anchor_DNS" ], "x_mitre_contributors": [ "Cybereason Nocturnus, @nocturnus" ], "x_mitre_platforms": [ "Linux", "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-16 14:59:40.051000+00:00", "modified": "2020-08-10 19:17:14.766000+00:00", "name": "Bonadan", "description": "[Bonadan](https://attack.mitre.org/software/S0486) is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan](https://attack.mitre.org/software/S0486) has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0486", "external_id": "S0486" }, { "source_name": "ESET ForSSHe December 2018", "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Bonadan" ], "x_mitre_platforms": [ "Linux" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-15 19:48:35.063000+00:00", "modified": "2020-08-10 21:37:48.548000+00:00", "name": "Carberp", "description": "[Carberp](https://attack.mitre.org/software/S0484) is a credential and information stealing malware that has been active since at least 2009. [Carberp](https://attack.mitre.org/software/S0484)'s source code was leaked online in 2013, and subsequently used as the foundation for the [Carbanak](https://attack.mitre.org/software/S0030) backdoor.(Citation: Trend Micro Carberp February 2014)(Citation: KasperskyCarbanak)(Citation: RSA Carbanak November 2017)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0484", "external_id": "S0484" }, { "source_name": "Trend Micro Carberp February 2014", "description": "Trend Micro. (2014, February 27). CARBERP. Retrieved July 29, 2020.", "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp" }, { "source_name": "KasperskyCarbanak", "description": "Kaspersky Lab's Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017.", "url": "https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/" }, { "source_name": "RSA Carbanak November 2017", "description": "RSA. (2017, November 21). THE CARBANAK/FIN7 SYNDICATE A HISTORICAL OVERVIEW OF AN EVOLVING THREAT. Retrieved July 29, 2020.", "url": "https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Carberp" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-22 19:00:00.779000+00:00", "modified": "2020-10-22 01:50:12.660000+00:00", "name": "CookieMiner", "description": "[CookieMiner](https://attack.mitre.org/software/S0492) is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.(Citation: Unit42 CookieMiner Jan 2019)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0492", "external_id": "S0492" }, { "source_name": "Unit42 CookieMiner Jan 2019", "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020.", "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "CookieMiner" ], "x_mitre_platforms": [ "macOS" ], "x_mitre_version": "1.0" }, { "type": "tool", "id": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-17 14:23:05.958000+00:00", "modified": "2020-07-29 20:19:40.544000+00:00", "name": "CrackMapExec", "description": "[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)", "revoked": false, "labels": [ "tool" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0488", "external_id": "S0488" }, { "source_name": "CME Github September 2018", "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.", "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "CrackMapExec" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-08-10 14:26:12.369000+00:00", "modified": "2020-08-18 15:36:30.748000+00:00", "name": "Cryptoistic", "description": "[Cryptoistic](https://attack.mitre.org/software/S0498) is a backdoor, written in Swift, that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032).(Citation: SentinelOne Lazarus macOS July 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0498", "external_id": "S0498" }, { "source_name": "SentinelOne Lazarus macOS July 2020", "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020.", "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Cryptoistic" ], "x_mitre_platforms": [ "macOS" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-08-07 14:53:56.534000+00:00", "modified": "2020-09-02 18:48:58.442000+00:00", "name": "Dacls", "description": "[Dacls](https://attack.mitre.org/software/S0497) is a multi-platform remote access tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least December 2019.(Citation: TrendMicro macOS Dacls May 2020)(Citation: SentinelOne Lazarus macOS July 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0497", "external_id": "S0497" }, { "source_name": "TrendMicro macOS Dacls May 2020", "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" }, { "source_name": "SentinelOne Lazarus macOS July 2020", "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020.", "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Dacls" ], "x_mitre_platforms": [ "macOS", "Linux", "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--99164b38-1775-40bc-b77b-a2373b14540a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-08-25 18:05:14.953000+00:00", "modified": "2020-09-18 20:55:03.153000+00:00", "name": "Drovorub", "description": "[Drovorub](https://attack.mitre.org/software/S0502) is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by [APT28](https://attack.mitre.org/groups/G0007).(Citation: NSA/FBI Drovorub August 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0502", "external_id": "S0502" }, { "source_name": "NSA/FBI Drovorub August 2020", "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.", "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Drovorub" ], "x_mitre_platforms": [ "Linux" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-24 13:23:45.162000+00:00", "modified": "2020-10-09 16:08:00.074000+00:00", "name": "FatDuke", "description": "[FatDuke](https://attack.mitre.org/software/S0512) is a backdoor used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2016.(Citation: ESET Dukes October 2019)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0512", "external_id": "S0512" }, { "source_name": "ESET Dukes October 2019", "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "FatDuke" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--1cdbbcab-903a-414d-8eb0-439a97343737", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-08 14:55:46.094000+00:00", "modified": "2020-10-19 19:44:15.357000+00:00", "name": "FrameworkPOS", "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0503", "external_id": "S0503" }, { "source_name": "Trinity", "description": "(Citation: SentinelOne FrameworkPOS September 2019)" }, { "source_name": "SentinelOne FrameworkPOS September 2019", "description": "Kremez, V. (2019, September 19). FIN6 \u201cFrameworkPOS\u201d: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.", "url": "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "FrameworkPOS", "Trinity" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--b9704a7d-feef-4af9-8898-5280f1686326", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-23 13:50:10.409000+00:00", "modified": "2020-08-19 16:31:40.508000+00:00", "name": "GoldenSpy", "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) is a backdoor malware which has been packaged with legitimate tax preparation software. [GoldenSpy](https://attack.mitre.org/software/S0493) was discovered targeting organizations in China, being delivered with the \"Intelligent Tax\" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.(Citation: Trustwave GoldenSpy June 2020) ", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0493", "external_id": "S0493" }, { "source_name": "Trustwave GoldenSpy June 2020", "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.", "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "GoldenSpy" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--ef2247bf-8062-404b-894f-d65d00564817", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-08-12 19:32:56.301000+00:00", "modified": "2020-10-16 00:41:06.476000+00:00", "name": "Hancitor", "description": "[Hancitor](https://attack.mitre.org/software/S0499) is a downloader that has been used by [Pony](https://attack.mitre.org/software/S0453) and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0499", "external_id": "S0499" }, { "source_name": "Chanitor", "description": "(Citation: FireEye Hancitor)" }, { "source_name": "Threatpost Hancitor", "description": "Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.", "url": "https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/" }, { "source_name": "FireEye Hancitor", "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Hancitor", "Chanitor" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-15 17:55:11.252000+00:00", "modified": "2020-08-14 14:25:53.721000+00:00", "name": "IcedID", "description": "[IcedID](https://attack.mitre.org/software/S0483) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://attack.mitre.org/software/S0483) has been downloaded by [Emotet](https://attack.mitre.org/software/S0367) in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0483", "external_id": "S0483" }, { "source_name": "IBM IcedID November 2017", "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.", "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" }, { "source_name": "Juniper IcedID June 2020", "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.", "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "IcedID" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--c984b414-b766-44c5-814a-2fe96c913c12", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-16 15:14:25.631000+00:00", "modified": "2020-08-10 19:43:38.144000+00:00", "name": "Kessel", "description": "[Kessel](https://attack.mitre.org/software/S0487) is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. [Kessel](https://attack.mitre.org/software/S0487) has been active since its C2 domain began resolving in August 2018.(Citation: ESET ForSSHe December 2018)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0487", "external_id": "S0487" }, { "source_name": "ESET ForSSHe December 2018", "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Kessel" ], "x_mitre_platforms": [ "Linux" ], "x_mitre_version": "1.0" }, { "type": "tool", "id": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-08-13 17:15:25.702000+00:00", "modified": "2020-08-20 14:52:23.369000+00:00", "name": "MCMD", "description": "[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)", "revoked": false, "labels": [ "tool" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0500", "external_id": "S0500" }, { "source_name": "Secureworks MCMD July 2019", "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", "url": "https://www.secureworks.com/research/mcmd-malware-analysis" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "MCMD" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-15 13:32:10.185000+00:00", "modified": "2020-09-29 20:46:04.658000+00:00", "name": "Ngrok", "description": "[Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0508", "external_id": "S0508" }, { "source_name": "Zdnet Ngrok September 2018", "description": "Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.", "url": "https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/" }, { "source_name": "FireEye Maze May 2020", "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" }, { "source_name": "Cyware Ngrok May 2019", "description": "Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims\u2019 systems. Retrieved September 15, 2020.", "url": "https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Ngrok" ], "x_mitre_contributors": [ "Janantha Marasinghe" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-27 14:06:29.560000+00:00", "modified": "2020-10-06 17:25:07.301000+00:00", "name": "Pillowmint", "description": "[Pillowmint](https://attack.mitre.org/software/S0517) is a point-of-sale malware used by [FIN7](https://attack.mitre.org/groups/G0046) designed to capture credit card information.(Citation: Trustwave Pillowmint June 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0517", "external_id": "S0517" }, { "source_name": "Trustwave Pillowmint June 2020", "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020.", "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Pillowmint" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--8393dac0-0583-456a-9372-fd81691bca20", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-08-24 13:15:51.706000+00:00", "modified": "2020-10-16 21:01:16.880000+00:00", "name": "PipeMon", "description": "[PipeMon](https://attack.mitre.org/software/S0501) is a multi-stage modular backdoor used by [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: ESET PipeMon May 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0501", "external_id": "S0501" }, { "source_name": "ESET PipeMon May 2020", "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020.", "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "PipeMon" ], "x_mitre_contributors": [ "Mathieu Tartare, ESET", "Martin Smol\u00e1r, ESET" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-23 15:42:59.822000+00:00", "modified": "2020-10-09 16:07:59.493000+00:00", "name": "PolyglotDuke", "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) is a downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2013. [PolyglotDuke](https://attack.mitre.org/software/S0518) has been used to drop [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0518", "external_id": "S0518" }, { "source_name": "ESET Dukes October 2019", "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "PolyglotDuke" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-28 17:26:36.168000+00:00", "modified": "2020-10-15 23:59:45.815000+00:00", "name": "RDAT", "description": "[RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0495", "external_id": "S0495" }, { "source_name": "Unit42 RDAT July 2020", "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.", "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "RDAT", "RDAT " ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-08-04 15:06:14.796000+00:00", "modified": "2020-10-05 15:52:54.596000+00:00", "name": "REvil", "description": "[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496) is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0496", "external_id": "S0496" }, { "source_name": "Sodin", "description": "(Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019)" }, { "source_name": "Sodinokibi", "description": "(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)" }, { "source_name": "Secureworks REvil September 2019", "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" }, { "source_name": "Intel 471 REvil March 2020", "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.", "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/" }, { "source_name": "Group IB Ransomware May 2020", "description": "Group IB. (2020, May). Ransomware Uncovered: Attackers\u2019 Latest Methods. Retrieved August 5, 2020.", "url": "https://www.group-ib.com/whitepapers/ransomware-uncovered.html" }, { "source_name": "Kaspersky Sodin July 2019", "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.", "url": "https://securelist.com/sodin-ransomware/91473/" }, { "source_name": "G Data Sodinokibi June 2019", "description": "Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.", "url": "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data" }, { "source_name": "Cylance Sodinokibi July 2019", "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.", "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html" }, { "source_name": "Secureworks GandCrab and REvil September 2019", "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.", "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection" }, { "source_name": "Talos Sodinokibi April 2019", "description": "Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.", "url": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" }, { "source_name": "McAfee Sodinokibi October 2019", "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" }, { "source_name": "McAfee REvil October 2019", "description": "Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 Crescendo. Retrieved August 5, 2020.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/" }, { "source_name": "Picus Sodinokibi January 2020", "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.", "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "REvil", "Sodin", "Sodinokibi" ], "x_mitre_contributors": [ "Edward Millington" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--47124daf-44be-4530-9c63-038bc64318dd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-23 18:04:24.998000+00:00", "modified": "2020-10-09 16:07:59.731000+00:00", "name": "RegDuke", "description": "[RegDuke](https://attack.mitre.org/software/S0511) is a first stage implant written in .NET and used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2017. [RegDuke](https://attack.mitre.org/software/S0511) has been used to control a compromised machine when control of other implants on the machine was lost.(Citation: ESET Dukes October 2019)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0511", "external_id": "S0511" }, { "source_name": "ESET Dukes October 2019", "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "RegDuke" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 16:38:11.279000+00:00", "modified": "2020-10-22 17:35:04.950000+00:00", "name": "SYNful Knock", "description": "[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: FireEye - Synful Knock)(Citation: Cisco Synful Knock Evolution)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0519", "external_id": "S0519" }, { "source_name": "FireEye - Synful Knock", "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html" }, { "source_name": "Cisco Synful Knock Evolution", "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "SYNful Knock" ], "x_mitre_platforms": [ "Network" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-29 19:33:35.122000+00:00", "modified": "2020-10-06 16:10:42.422000+00:00", "name": "SoreFang", "description": "[SoreFang](https://attack.mitre.org/software/S0516) is first stage downloader used by [APT29](https://attack.mitre.org/groups/G0016) for exfiltration and to load other malware.(Citation: NCSC APT29 July 2020)(Citation: CISA SoreFang July 2016)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0516", "external_id": "S0516" }, { "source_name": "NCSC APT29 July 2020", "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.", "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" }, { "source_name": "CISA SoreFang July 2016", "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020.", "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "SoreFang" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-20 17:41:19.690000+00:00", "modified": "2020-10-15 02:00:29.185000+00:00", "name": "StrongPity", "description": "[StrongPity](https://attack.mitre.org/software/S0491) is an information stealing malware used by [PROMETHIUM](https://attack.mitre.org/groups/G0056).(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0491", "external_id": "S0491" }, { "source_name": "Bitdefender StrongPity June 2020", "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" }, { "source_name": "Talos Promethium June 2020", "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "StrongPity" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-29 17:48:27.517000+00:00", "modified": "2020-10-09 15:38:41.755000+00:00", "name": "WellMail", "description": "[WellMail](https://attack.mitre.org/software/S0515) is a lightweight malware written in Golang used by [APT29](https://attack.mitre.org/groups/G0016), similar in design and structure to [WellMess](https://attack.mitre.org/software/S0514).(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0515", "external_id": "S0515" }, { "source_name": "CISA WellMail July 2020", "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020.", "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" }, { "source_name": "NCSC APT29 July 2020", "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.", "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "WellMail" ], "x_mitre_contributors": [ "Josh Campbell, Cyborg Security, @cyb0rgsecur1ty" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-24 19:39:44.392000+00:00", "modified": "2020-10-09 19:41:25.983000+00:00", "name": "WellMess", "description": "[WellMess](https://attack.mitre.org/software/S0514) is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by [APT29](https://attack.mitre.org/groups/G0016).(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0514", "external_id": "S0514" }, { "source_name": "CISA WellMess July 2020", "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020.", "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" }, { "source_name": "PWC WellMess July 2020", "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.", "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" }, { "source_name": "NCSC APT29 July 2020", "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.", "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "WellMess" ], "x_mitre_contributors": [ "Daniyal Naeem" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.0" } ], "major_version_changes": [ { "type": "malware", "id": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17 00:14:20.652000+00:00", "modified": "2020-10-21 17:45:34.380000+00:00", "name": "InvisiMole", "description": "[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://attack.mitre.org/groups/G0047) infrastructure has been used to download and execute [InvisiMole](https://attack.mitre.org/software/S0260) against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0260", "external_id": "S0260" }, { "source_name": "InvisiMole", "description": "(Citation: ESET InvisiMole June 2018)" }, { "source_name": "ESET InvisiMole June 2018", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" }, { "source_name": "ESET InvisiMole June 2020", "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "InvisiMole" ], "x_mitre_contributors": [ "ESET" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "2.0", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"ESET\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 17:45:34.380000+00:00\", \"old_value\": \"2020-03-30 02:19:18.750000+00:00\"}, \"root['description']\": {\"new_value\": \"[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://attack.mitre.org/groups/G0047) infrastructure has been used to download and execute [InvisiMole](https://attack.mitre.org/software/S0260) against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)\", \"old_value\": \"[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by threat actors since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. (Citation: ESET InvisiMole June 2018)\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"ESET InvisiMole June 2020\", \"description\": \"Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.\", \"url\": \"https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[InvisiMole](https://attack.mitre.org/software/S0260) is a mt1[InvisiMole](https://attack.mitre.org/software/S0260) is a m
>odular spyware program that has been used by threat actors s>odular spyware program that has been used by the InvisiMole 
>ince at least 2013. [InvisiMole](https://attack.mitre.org/so>Group since at least 2013. [InvisiMole](https://attack.mitre
>ftware/S0260) has two backdoor modules called RC2FM and RC2C>.org/software/S0260) has two backdoor modules called RC2FM a
>L that are used to perform post-exploitation activities. It >nd RC2CL that are used to perform post-exploitation activiti
>has been discovered on compromised victims in the Ukraine an>es. It has been discovered on compromised victims in the Ukr
>d Russia. (Citation: ESET InvisiMole June 2018)>aine and Russia. [Gamaredon Group](https://attack.mitre.org/
 >groups/G0047) infrastructure has been used to download and e
 >xecute [InvisiMole](https://attack.mitre.org/software/S0260)
 > against a small number of victims.(Citation: ESET InvisiMol
 >e June 2018)(Citation: ESET InvisiMole June 2020)
" }, { "type": "malware", "id": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:33:00.176000+00:00", "modified": "2020-10-14 22:38:11.328000+00:00", "name": "Trojan.Karagany", "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY )", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0094", "external_id": "S0094" }, { "source_name": "xFrost", "description": "(Citation: Secureworks Karagany July 2019)" }, { "source_name": "Karagany", "description": "(Citation: Secureworks Karagany July 2019)" }, { "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" }, { "source_name": "Secureworks Karagany July 2019", "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.", "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" }, { "source_name": "Dragos DYMALLOY ", "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", "url": "https://www.dragos.com/threat/dymalloy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Trojan.Karagany", "xFrost", "Karagany" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "2.0", "detailed_diff": "{\"dictionary_item_removed\": {\"root['external_references'][1]['url']\": \"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-14 22:38:11.328000+00:00\", \"old_value\": \"2020-03-17 15:08:58.099000+00:00\"}, \"root['description']\": {\"new_value\": \"[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY )\", \"old_value\": \"[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums. (Citation: Symantec Dragonfly)\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"xFrost\", \"old_value\": \"Symantec Dragonfly\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"(Citation: Secureworks Karagany July 2019)\", \"old_value\": \"Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Karagany\", \"description\": \"(Citation: Secureworks Karagany July 2019)\"}, \"root['external_references'][3]\": {\"source_name\": \"Symantec Dragonfly\", \"description\": \"Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.\", \"url\": \"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf\"}, \"root['external_references'][4]\": {\"source_name\": \"Secureworks Karagany July 2019\", \"description\": \"Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.\", \"url\": \"https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector\"}, \"root['external_references'][5]\": {\"source_name\": \"Dragos DYMALLOY \", \"description\": \"Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.\", \"url\": \"https://www.dragos.com/threat/dymalloy/\"}, \"root['x_mitre_aliases'][1]\": \"xFrost\", \"root['x_mitre_aliases'][2]\": \"Karagany\"}}", "previous_version": "1.1", "version_change": "1.1 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[Trojan.Karagany](https://attack.mitre.org/software/S0094) it1[Trojan.Karagany](https://attack.mitre.org/software/S0094) i
>s a backdoor primarily used for recon. The source code for i>s a modular remote access tool used for recon and linked to 
>t was leaked in 2010 and it is sold on underground forums. (>[Dragonfly](https://attack.mitre.org/groups/G0035) and [Drag
>Citation: Symantec Dragonfly)>onfly 2.0](https://attack.mitre.org/groups/G0074). The sourc
 >e code for [Trojan.Karagany](https://attack.mitre.org/softwa
 >re/S0094) originated from Dream Loader malware which was lea
 >ked in 2010 and sold on underground forums. (Citation: Syman
 >tec Dragonfly)(Citation: Secureworks Karagany July 2019)(Cit
 >ation: Dragos DYMALLOY )
" }, { "type": "malware", "id": "malware--1d808f62-cf63-4063-9727-ff6132514c22", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:33:06.433000+00:00", "modified": "2020-08-25 21:23:24.223000+00:00", "name": "WEBC2", "description": "[WEBC2](https://attack.mitre.org/software/S0109) is a family of backdoor malware used by [APT1](https://attack.mitre.org/groups/G0006) as early as July 2006. [WEBC2](https://attack.mitre.org/software/S0109) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0109", "external_id": "S0109" }, { "source_name": "WEBC2", "description": "(Citation: Mandiant APT1)" }, { "source_name": "Mandiant APT1 Appendix", "description": "Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" }, { "source_name": "Mandiant APT1", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "WEBC2" ], "x_mitre_contributors": [ "Wes Hurd" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "2.0", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Wes Hurd\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-25 21:23:24.223000+00:00\", \"old_value\": \"2020-03-30 18:27:06.694000+00:00\"}, \"root['description']\": {\"new_value\": \"[WEBC2](https://attack.mitre.org/software/S0109) is a family of backdoor malware used by [APT1](https://attack.mitre.org/groups/G0006) as early as July 2006. [WEBC2](https://attack.mitre.org/software/S0109) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)\", \"old_value\": \"[WEBC2](https://attack.mitre.org/software/S0109) is a backdoor used by [APT1](https://attack.mitre.org/groups/G0006) to retrieve a Web page from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}", "previous_version": "1.2", "version_change": "1.2 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[WEBC2](https://attack.mitre.org/software/S0109) is a backdot1[WEBC2](https://attack.mitre.org/software/S0109) is a family
>or used by [APT1](https://attack.mitre.org/groups/G0006) to > of backdoor malware used by [APT1](https://attack.mitre.org
>retrieve a Web page from a predetermined C2 server. (Citatio>/groups/G0006) as early as July 2006. [WEBC2](https://attack
>n: Mandiant APT1 Appendix)(Citation: Mandiant APT1)>.mitre.org/software/S0109) backdoors are designed to retriev
 >e a webpage, with commands hidden in HTML comments or specia
 >l tags, from a predetermined C2 server. (Citation: Mandiant 
 >APT1 Appendix)(Citation: Mandiant APT1)
" } ], "minor_version_changes": [ { "type": "malware", "id": "malware--e9595678-d269-469e-ae6b-75e49259de63", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:33:14.118000+00:00", "modified": "2020-10-21 18:22:52.183000+00:00", "name": "BADNEWS", "description": "[BADNEWS](https://attack.mitre.org/software/S0128) is malware that has been used by the actors responsible for the [Patchwork](https://attack.mitre.org/groups/G0040) campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. (Citation: Forcepoint Monsoon) (Citation: TrendMicro Patchwork Dec 2017)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0128", "external_id": "S0128" }, { "source_name": "BADNEWS", "description": "(Citation: Forcepoint Monsoon)" }, { "source_name": "Forcepoint Monsoon", "description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.", "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" }, { "source_name": "TrendMicro Patchwork Dec 2017", "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.", "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "BADNEWS" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 18:22:52.183000+00:00\", \"old_value\": \"2020-03-30 02:25:10.616000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2" }, { "type": "tool", "id": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14 16:46:06.044000+00:00", "modified": "2020-09-11 13:33:17.392000+00:00", "name": "Cobalt Strike", "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, penetration testing tool which bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: cobaltstrike manual)", "revoked": false, "labels": [ "tool" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0154", "external_id": "S0154" }, { "source_name": "cobaltstrike manual", "description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.", "url": "https://cobaltstrike.com/downloads/csmanual38.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Cobalt Strike" ], "x_mitre_contributors": [ "Josh Abraham" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.4", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-11 13:33:17.392000+00:00\", \"old_value\": \"2020-06-23 19:49:20.159000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", "previous_version": "1.3", "version_change": "1.3 \u2192 1.4" }, { "type": "malware", "id": "malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-04-19 16:40:24.922000+00:00", "modified": "2020-10-21 18:25:38.692000+00:00", "name": "Ebury", "description": "[Ebury](https://attack.mitre.org/software/S0377) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0377", "external_id": "S0377" }, { "source_name": "Ebury", "description": "(Citation: ESET Ebury Feb 2014)" }, { "source_name": "ESET Ebury Feb 2014", "description": "M.L\u00e9veill\u00e9, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.", "url": "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" }, { "source_name": "BleepingComputer Ebury March 2017", "description": "Cimpanu, C.. (2017, March 29). Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware. Retrieved April 23, 2019.", "url": "https://www.bleepingcomputer.com/news/security/russian-hacker-pleads-guilty-for-role-in-infamous-linux-ebury-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Ebury" ], "x_mitre_contributors": [ "Marc-Etienne M.L\u00e9veill\u00e9, ESET" ], "x_mitre_platforms": [ "Linux" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 18:25:38.692000+00:00\", \"old_value\": \"2020-03-28 00:54:00.807000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2" }, { "type": "malware", "id": "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-03-25 18:35:14.353000+00:00", "modified": "2020-08-13 15:23:35.947000+00:00", "name": "Emotet", "description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0367", "external_id": "S0367" }, { "source_name": "Emotet", "description": "(Citation: Trend Micro Banking Malware Jan 2019)(Citation: Kaspersky Emotet Jan 2019)(Citation: CIS Emotet Apr 2017)(Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: ESET Emotet Nov 2018)(Citation: Secureworks Emotet Nov 2018)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: CIS Emotet Dec 2018)(Citation: Picus Emotet Dec 2018)(Citation: Red Canary Emotet Feb 2019) " }, { "source_name": "Geodo", "description": "(Citation: Trend Micro Emotet Jan 2019)" }, { "source_name": "Trend Micro Banking Malware Jan 2019", "description": "Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/" }, { "source_name": "Kaspersky Emotet Jan 2019", "description": "Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.", "url": "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/" }, { "source_name": "CIS Emotet Apr 2017", "description": "CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.", "url": "https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/" }, { "source_name": "Malwarebytes Emotet Dec 2017", "description": "Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.", "url": "https://support.malwarebytes.com/docs/DOC-2295" }, { "source_name": "Symantec Emotet Jul 2018", "description": "Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.", "url": "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor" }, { "source_name": "US-CERT Emotet Jul 2018", "description": "US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA18-201A" }, { "source_name": "ESET Emotet Nov 2018", "description": "ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019.", "url": "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/" }, { "source_name": "Secureworks Emotet Nov 2018", "description": "Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.", "url": "https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader" }, { "source_name": "Talos Emotet Jan 2019", "description": "Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.", "url": "https://blog.talosintelligence.com/2019/01/return-of-emotet.html" }, { "source_name": "Trend Micro Emotet Jan 2019", "description": "Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.", "url": "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" }, { "source_name": "CIS Emotet Dec 2018", "description": "CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.", "url": "https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/" }, { "source_name": "Picus Emotet Dec 2018", "description": "\u00d6zarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.", "url": "https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html" }, { "source_name": "Red Canary Emotet Feb 2019", "description": "Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.", "url": "https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Emotet", "Geodo" ], "x_mitre_contributors": [ "Omkar Gudhate" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.3", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-13 15:23:35.947000+00:00\", \"old_value\": \"2020-07-15 13:03:45.812000+00:00\"}, \"root['description']\": {\"new_value\": \"[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)\", \"old_value\": \"[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", "previous_version": "1.2", "version_change": "1.2 \u2192 1.3", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[Emotet](https://attack.mitre.org/software/S0367) is a modult1[Emotet](https://attack.mitre.org/software/S0367) is a modul
>ar malware variant which is primarily used as a downloader f>ar malware variant which is primarily used as a downloader f
>or other malware variants such as [TrickBot](https://attack.>or other malware variants such as [TrickBot](https://attack.
>mitre.org/software/S0266) and IcedID. Emotet first emerged i>mitre.org/software/S0266) and [IcedID](https://attack.mitre.
>n June 2014 and has been primarily used to target the bankin>org/software/S0483). Emotet first emerged in June 2014 and h
>g sector. (Citation: Trend Micro Banking Malware Jan 2019)>as been primarily used to target the banking sector. (Citati
 >on: Trend Micro Banking Malware Jan 2019)
" }, { "type": "malware", "id": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-01-31 00:36:39.771000+00:00", "modified": "2020-08-03 19:32:54.607000+00:00", "name": "KONNI", "description": "[KONNI](https://attack.mitre.org/software/S0356) is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. [KONNI](https://attack.mitre.org/software/S0356) has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family. There is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0356", "external_id": "S0356" }, { "source_name": "KONNI", "description": "(Citation: Talos Konni May 2017)" }, { "source_name": "Talos Konni May 2017", "description": "Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.", "url": "https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" }, { "source_name": "Unit 42 NOKKI Sept 2018", "description": "Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" }, { "source_name": "Unit 42 Nokki Oct 2018", "description": "Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" }, { "source_name": "Medium KONNI Jan 2020", "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.", "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "KONNI" ], "x_mitre_contributors": [ "Doron Karmi, @DoronKarmi" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.4", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Doron Karmi, @DoronKarmi\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-03 19:32:54.607000+00:00\", \"old_value\": \"2020-04-28 18:32:51.846000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", "previous_version": "1.3", "version_change": "1.3 \u2192 1.4" }, { "type": "malware", "id": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-18 21:01:51.045000+00:00", "modified": "2020-09-01 20:55:31.256000+00:00", "name": "LoudMiner", "description": "[LoudMiner](https://attack.mitre.org/software/S0451) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0451", "external_id": "S0451" }, { "source_name": "ESET LoudMiner June 2019", "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.", "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "LoudMiner" ], "x_mitre_platforms": [ "macOS", "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-01 20:55:31.256000+00:00\", \"old_value\": \"2020-06-29 23:17:50.246000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1" }, { "type": "malware", "id": "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-09-13 13:17:25.718000+00:00", "modified": "2020-09-22 16:56:50.734000+00:00", "name": "Machete", "description": "[Machete](https://attack.mitre.org/software/S0409) is a cyber espionage toolset developed by a Spanish-speaking group known as El [Machete](https://attack.mitre.org/groups/G0095). It is a Python-based backdoor targeting Windows machines, and it was first observed in 2010.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0409", "external_id": "S0409" }, { "source_name": "Machete", "description": "(Citation: Securelist Machete Aug 2014)" }, { "source_name": "ESET Machete July 2019", "description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" }, { "source_name": "Securelist Machete Aug 2014", "description": "Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.", "url": "https://securelist.com/el-machete/66108/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Machete" ], "x_mitre_contributors": [ "Matias Nicolas Porolli, ESET" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-22 16:56:50.734000+00:00\", \"old_value\": \"2020-03-30 02:29:55.300000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2" }, { "type": "malware", "id": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-18 16:17:59.464000+00:00", "modified": "2020-10-19 18:35:15.941000+00:00", "name": "Maze", "description": "[Maze](https://attack.mitre.org/software/S0449) ransomware, previously known as \"ChaCha\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0449", "external_id": "S0449" }, { "source_name": "FireEye Maze May 2020", "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" }, { "source_name": "McAfee Maze March 2020", "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/" }, { "source_name": "Sophos Maze VM September 2020", "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.", "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Maze" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)", "SarathKumar Rajendran, Trimble Inc" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Center for Threat-Informed Defense (CTID)\", \"SarathKumar Rajendran, Trimble Inc\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-19 18:35:15.941000+00:00\", \"old_value\": \"2020-06-24 01:40:07.349000+00:00\"}, \"root['name']\": {\"new_value\": \"Maze\", \"old_value\": \"MAZE\"}, \"root['description']\": {\"new_value\": \"[Maze](https://attack.mitre.org/software/S0449) ransomware, previously known as \\\"ChaCha\\\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)\", \"old_value\": \"[MAZE](https://attack.mitre.org/software/S0449) ransomware, previously known as \\\"ChaCha\\\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [MAZE](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)\"}, \"root['x_mitre_aliases'][0]\": {\"new_value\": \"Maze\", \"old_value\": \"MAZE\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Sophos Maze VM September 2020\", \"description\": \"Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.\", \"url\": \"https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[MAZE](https://attack.mitre.org/software/S0449) ransomware, t1[Maze](https://attack.mitre.org/software/S0449) ransomware, 
>previously known as \"ChaCha\", was discovered in May 2019. In>previously known as \"ChaCha\", was discovered in May 2019. In
> addition to encrypting files on victim machines for impact,> addition to encrypting files on victim machines for impact,
> [MAZE](https://attack.mitre.org/software/S0449) operators c> [Maze](https://attack.mitre.org/software/S0449) operators c
>onduct information stealing campaigns prior to encryption an>onduct information stealing campaigns prior to encryption an
>d post the information online to extort affected companies.(>d post the information online to extort affected companies.(
>Citation: FireEye Maze May 2020)(Citation: McAfee Maze March>Citation: FireEye Maze May 2020)(Citation: McAfee Maze March
> 2020)> 2020)(Citation: Sophos Maze VM September 2020)
" }, { "type": "malware", "id": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-26 17:34:19.044000+00:00", "modified": "2020-10-22 01:34:57.793000+00:00", "name": "Metamorfo", "description": "[Metamorfo](https://attack.mitre.org/software/S0455) is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly Brazilian users.(Citation: Medium Metamorfo Apr 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0455", "external_id": "S0455" }, { "source_name": "Metamorfo", "description": "(Citation: Medium Metamorfo Apr 2020)" }, { "source_name": "Medium Metamorfo Apr 2020", "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.", "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Metamorfo" ], "x_mitre_contributors": [ "Chen Erlich, @chen_erlich, enSilo" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-22 01:34:57.793000+00:00\", \"old_value\": \"2020-06-25 19:12:24.385000+00:00\"}, \"root['description']\": {\"new_value\": \"[Metamorfo](https://attack.mitre.org/software/S0455) is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly Brazilian users.(Citation: Medium Metamorfo Apr 2020)\", \"old_value\": \"[Metamorfo](https://attack.mitre.org/software/S0455) is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly brazilian users.(Citation: Medium Metamorfo Apr 2020)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[Metamorfo](https://attack.mitre.org/software/S0455) is a bat1[Metamorfo](https://attack.mitre.org/software/S0455) is a ba
>nking trojan operated by a Brazilian cybercrime group that h>nking trojan operated by a Brazilian cybercrime group that h
>as been active since at least April 2018. The group focuses >as been active since at least April 2018. The group focuses 
>on targeting mostly brazilian users.(Citation: Medium Metamo>on targeting mostly Brazilian users.(Citation: Medium Metamo
>rfo Apr 2020)>rfo Apr 2020)
" }, { "type": "malware", "id": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:36.919000+00:00", "modified": "2020-09-23 15:19:58.668000+00:00", "name": "MiniDuke", "description": "[MiniDuke](https://attack.mitre.org/software/S0051) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. The [MiniDuke](https://attack.mitre.org/software/S0051) toolset consists of multiple downloader and backdoor components. The loader has been used with other [MiniDuke](https://attack.mitre.org/software/S0051) components as well as in conjunction with [CosmicDuke](https://attack.mitre.org/software/S0050) and [PinchDuke](https://attack.mitre.org/software/S0048). (Citation: F-Secure The Dukes)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0051", "external_id": "S0051" }, { "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "MiniDuke" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-23 15:19:58.668000+00:00\", \"old_value\": \"2020-03-30 17:04:51.952000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2" }, { "type": "malware", "id": "malware--2a70812b-f1ef-44db-8578-a496a227aef2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18 17:59:24.739000+00:00", "modified": "2020-10-21 18:42:49.250000+00:00", "name": "NETWIRE", "description": "[NETWIRE](https://attack.mitre.org/software/S0198) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012. (Citation: FireEye APT33 Sept 2017) (Citation: McAfee Netwire Mar 2015) (Citation: FireEye APT33 Webinar Sept 2017)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0198", "external_id": "S0198" }, { "source_name": "NETWIRE", "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: McAfee Netwire Mar 2015)" }, { "source_name": "FireEye APT33 Sept 2017", "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" }, { "source_name": "McAfee Netwire Mar 2015", "description": "McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.", "url": "https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/" }, { "source_name": "FireEye APT33 Webinar Sept 2017", "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.", "url": "https://www.brighttalk.com/webcast/10703/275683" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "NETWIRE" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 18:42:49.250000+00:00\", \"old_value\": \"2020-03-30 17:09:00.491000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2" }, { "type": "malware", "id": "malware--b136d088-a829-432c-ac26-5529c26d4c7e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:37.341000+00:00", "modified": "2020-09-23 15:21:12.900000+00:00", "name": "OnionDuke", "description": "[OnionDuke](https://attack.mitre.org/software/S0052) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2013 to 2015. (Citation: F-Secure The Dukes)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0052", "external_id": "S0052" }, { "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "OnionDuke" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-23 15:21:12.900000+00:00\", \"old_value\": \"2020-03-30 17:13:20.084000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2" }, { "type": "tool", "id": "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18 17:59:24.739000+00:00", "modified": "2020-08-12 21:37:53.804000+00:00", "name": "SDelete", "description": "[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)", "revoked": false, "labels": [ "tool" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0195", "external_id": "S0195" }, { "source_name": "SDelete", "description": "(Citation: Microsoft SDelete July 2016)" }, { "source_name": "Microsoft SDelete July 2016", "description": "Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.", "url": "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "SDelete" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-12 21:37:53.804000+00:00\", \"old_value\": \"2019-04-24 00:37:08.653000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2" }, { "type": "malware", "id": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17 00:14:20.652000+00:00", "modified": "2020-10-17 15:06:16.817000+00:00", "name": "TrickBot", "description": "[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) is developed in the C++ programming language. (Citation: S2 Grupo TrickBot June 2017) (Citation: Fidelis TrickBot Oct 2016) (Citation: IBM TrickBot Nov 2016)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0266", "external_id": "S0266" }, { "source_name": "TrickBot", "description": "(Citation: S2 Grupo TrickBot June 2017) (Citation: Trend Micro Totbrick Oct 2016) (Citation: TrendMicro Trickbot Feb 2019)" }, { "source_name": "Totbrick", "description": "(Citation: Trend Micro Totbrick Oct 2016) (Citation: Microsoft Totbrick Oct 2017)" }, { "source_name": "TSPY_TRICKLOAD", "description": "(Citation: Trend Micro Totbrick Oct 2016)" }, { "source_name": "S2 Grupo TrickBot June 2017", "description": "Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.", "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" }, { "source_name": "Fidelis TrickBot Oct 2016", "description": "Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.", "url": "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre" }, { "source_name": "IBM TrickBot Nov 2016", "description": "Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot\u2019s Machinations. Retrieved August 2, 2018.", "url": "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/" }, { "source_name": "Trend Micro Totbrick Oct 2016", "description": "Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.", "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n" }, { "source_name": "TrendMicro Trickbot Feb 2019", "description": "Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/" }, { "source_name": "Microsoft Totbrick Oct 2017", "description": "Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.", "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "TrickBot", "Totbrick", "TSPY_TRICKLOAD" ], "x_mitre_contributors": [ "Cybereason Nocturnus, @nocturnus", "Omkar Gudhate", "FS-ISAC" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.3", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-17 15:06:16.817000+00:00\", \"old_value\": \"2020-03-30 21:08:00.221000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][0]\": \"Cybereason Nocturnus, @nocturnus\"}}", "previous_version": "1.2", "version_change": "1.2 \u2192 1.3" }, { "type": "malware", "id": "malware--ade37ada-14af-4b44-b36c-210eec255d53", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-06-19 17:11:54.854000+00:00", "modified": "2020-10-05 20:59:05.953000+00:00", "name": "Valak", "description": "[Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0476", "external_id": "S0476" }, { "source_name": "Cybereason Valak May 2020", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye" }, { "source_name": "Unit 42 Valak July 2020", "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.", "url": "https://unit42.paloaltonetworks.com/valak-evolution/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Valak" ], "x_mitre_contributors": [ "Cybereason Nocturnus, @nocturnus" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Cybereason Nocturnus, @nocturnus\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-05 20:59:05.953000+00:00\", \"old_value\": \"2020-06-24 01:11:42.794000+00:00\"}, \"root['description']\": {\"new_value\": \"[Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)\", \"old_value\": \"[Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Unit 42 Valak July 2020\", \"description\": \"Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.\", \"url\": \"https://unit42.paloaltonetworks.com/valak-evolution/\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[Valak](https://attack.mitre.org/software/S0476) is a multi-t1[Valak](https://attack.mitre.org/software/S0476) is a multi-
>stage modular malware that can function as a standalone or d>stage modular malware that can function as a standalone info
>ownloader, first observed in 2019 targeting enterprises in t>rmation stealer or downloader, first observed in 2019 target
>he US and Germany.(Citation: Cybereason Valak May 2020)>ing enterprises in the US and Germany.(Citation: Cybereason 
 >Valak May 2020)(Citation: Unit 42 Valak July 2020)
" }, { "type": "malware", "id": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:24.937000+00:00", "modified": "2020-10-16 00:51:36.275000+00:00", "name": "gh0st RAT", "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups. (Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0032", "external_id": "S0032" }, { "source_name": "gh0st RAT", "description": "(Citation: FireEye Hacking Team)(Citation: Nccgroup Gh0st April 2018)" }, { "source_name": "FireEye Hacking Team", "description": "FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html" }, { "source_name": "Arbor Musical Chairs Feb 2018", "description": "Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.", "url": "https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/" }, { "source_name": "Nccgroup Gh0st April 2018", "description": "Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.", "url": "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/april/decoding-network-data-from-a-gh0st-rat-variant/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "gh0st RAT" ], "x_mitre_platforms": [ "Windows", "macOS" ], "x_mitre_version": "2.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-16 00:51:36.275000+00:00\", \"old_value\": \"2020-03-30 18:35:11.519000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}}", "previous_version": "2.1", "version_change": "2.1 \u2192 2.2" }, { "type": "malware", "id": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-04 17:52:28.806000+00:00", "modified": "2020-10-14 22:25:02.713000+00:00", "name": "njRAT", "description": "[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0385", "external_id": "S0385" }, { "source_name": "Njw0rm", "description": "Some sources have discussed Njw0rm as a later variant of njRAT, where Njw0rm adds the ability to spread via removable devices such as USB drives.(Citation: FireEye Njw0rm Aug 2013) Other sources contain that functionality in their description of njRAT itself.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)" }, { "source_name": "LV", "description": "(Citation: Fidelis njRAT June 2013)" }, { "source_name": "Bladabindi", "description": "(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)" }, { "source_name": "Fidelis njRAT June 2013", "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.", "url": "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" }, { "source_name": "FireEye Njw0rm Aug 2013", "description": "Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved June 4, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html" }, { "source_name": "Trend Micro njRAT 2018", "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "njRAT", "Njw0rm", "LV", "Bladabindi" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-14 22:25:02.713000+00:00\", \"old_value\": \"2020-03-30 18:39:37.832000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2" } ], "other_version_changes": [], "patches": [ { "type": "malware", "id": "malware--6b62e336-176f-417b-856a-8552dd8c44e1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:58.738000+00:00", "modified": "2020-10-26 14:33:46.159000+00:00", "name": "Epic", "description": "[Epic](https://attack.mitre.org/software/S0091) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0091", "external_id": "S0091" }, { "source_name": "Epic", "description": "(Citation: Kaspersky Turla)" }, { "source_name": "Tavdig", "description": "(Citation: Kaspersky Turla)" }, { "source_name": "Wipbot", "description": "(Citation: Kaspersky Turla)" }, { "source_name": "WorldCupSec", "description": "(Citation: Kaspersky Turla)" }, { "source_name": "TadjMakhal", "description": "(Citation: Kaspersky Turla)" }, { "source_name": "Kaspersky Turla", "description": "Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.", "url": "https://securelist.com/the-epic-turla-operation/65545/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Epic", "Tavdig", "Wipbot", "WorldCupSec", "TadjMakhal" ], "x_mitre_contributors": [ "Martin Smol\u00e1r, ESET" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.3", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-26 14:33:46.159000+00:00\", \"old_value\": \"2020-03-30 02:09:54.540000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Martin Smol\\u00e1r, ESET\", \"old_value\": \"Martin Smolar, ESET\"}}}", "previous_version": "1.3" }, { "type": "malware", "id": "malware--fc774af4-533b-4724-96d2-ac1026316794", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-24 12:04:32.323000+00:00", "modified": "2020-07-31 18:01:53.826000+00:00", "name": "HiddenWasp", "description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0394", "external_id": "S0394" }, { "source_name": "HiddenWasp", "description": "(Citation: Intezer HiddenWasp Map 2019)" }, { "source_name": "Intezer HiddenWasp Map 2019", "description": "Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.", "url": "https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "HiddenWasp" ], "x_mitre_platforms": [ "Linux" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-07-31 18:01:53.826000+00:00\", \"old_value\": \"2020-03-26 20:35:27.505000+00:00\"}, \"root['description']\": {\"new_value\": \"[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)\", \"old_value\": \"[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statistically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)\"}}}", "previous_version": "1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[HiddenWasp](https://attack.mitre.org/software/S0394) is a Lt1[HiddenWasp](https://attack.mitre.org/software/S0394) is a L
>inux-based Trojan used to target systems for remote control.>inux-based Trojan used to target systems for remote control.
> It comes in the form of a statistically linked ELF binary w> It comes in the form of a statically linked ELF binary with
>ith stdlibc++.(Citation: Intezer HiddenWasp Map 2019)> stdlibc++.(Citation: Intezer HiddenWasp Map 2019)
" }, { "type": "malware", "id": "malware--de6cb631-52f6-4169-a73b-7965390b0c30", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18 17:59:24.739000+00:00", "modified": "2020-08-11 19:44:31.363000+00:00", "name": "JPIN", "description": "[JPIN](https://attack.mitre.org/software/S0201) is a custom-built backdoor family used by [PLATINUM](https://attack.mitre.org/groups/G0068). Evidence suggests developers of [JPIN](https://attack.mitre.org/software/S0201) and [Dipsind](https://attack.mitre.org/software/S0200) code bases were related in some way. (Citation: Microsoft PLATINUM April 2016)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0201", "external_id": "S0201" }, { "source_name": "JPIN", "description": "(Citation: Microsoft PLATINUM April 2016)" }, { "source_name": "Microsoft PLATINUM April 2016", "description": "Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.", "url": "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "JPIN" ], "x_mitre_contributors": [ "Ryan Becwar" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-11 19:44:31.363000+00:00\", \"old_value\": \"2020-03-20 02:18:03.707000+00:00\"}}}", "previous_version": "1.1" }, { "type": "malware", "id": "malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-08-29 18:52:20.879000+00:00", "modified": "2020-10-22 18:35:57.777000+00:00", "name": "OSX/Shlayer", "description": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS. It was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0402", "external_id": "S0402" }, { "source_name": "OSX/Shlayer", "description": "(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)" }, { "source_name": "Crossrider", "description": "(Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018)" }, { "source_name": "Carbon Black Shlayer Feb 2019", "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.", "url": "https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/" }, { "source_name": "Intego Shlayer Feb 2018", "description": "Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.", "url": "https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/" }, { "source_name": "Intego Shlayer Apr 2018", "description": "Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.", "url": "https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/" }, { "source_name": "Malwarebytes Crossrider Apr 2018", "description": "Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.", "url": "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "OSX/Shlayer", "Crossrider" ], "x_mitre_platforms": [ "macOS" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-22 18:35:57.777000+00:00\", \"old_value\": \"2020-03-18 18:27:13.903000+00:00\"}}}", "previous_version": "1.1" }, { "type": "malware", "id": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17 00:14:20.652000+00:00", "modified": "2020-09-02 18:46:32.365000+00:00", "name": "RATANKBA", "description": "[RATANKBA](https://attack.mitre.org/software/S0241) is a remote controller tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [RATANKBA](https://attack.mitre.org/software/S0241) has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. [RATANKBA](https://attack.mitre.org/software/S0241) has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0241", "external_id": "S0241" }, { "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" }, { "source_name": "Lazarus RATANKBA", "description": "Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "RATANKBA" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['external_references'][1]['url']\": \"https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-02 18:46:32.365000+00:00\", \"old_value\": \"2020-03-30 17:25:28.458000+00:00\"}}}", "previous_version": "1.1" }, { "type": "tool", "id": "tool--9de2308e-7bed-43a3-8e58-f194b3586700", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:13.051000+00:00", "modified": "2020-08-13 20:12:50.895000+00:00", "name": "pwdump", "description": "[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)", "revoked": false, "labels": [ "tool" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0006", "external_id": "S0006" }, { "source_name": "Wikipedia pwdump", "description": "Wikipedia. (2007, August 9). pwdump. Retrieved June 22, 2016.", "url": "https://en.wikipedia.org/wiki/Pwdump" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "pwdump" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-13 20:12:50.895000+00:00\", \"old_value\": \"2020-03-30 18:40:16.684000+00:00\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"Wikipedia. (2007, August 9). pwdump. Retrieved June 22, 2016.\", \"old_value\": \"Wikipedia. (1985, June 22). pwdump. Retrieved June 22, 2016.\"}}}", "previous_version": "1.1" } ], "revocations": [], "deprecations": [], "deletions": [ { "type": "malware", "id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-10-25 14:48:42.313000+00:00", "modified": "2020-03-30 18:23:32.096000+00:00", "name": "Twitoor", "description": "[Twitoor](https://attack.mitre.org/software/S0302) is an Android malware family that likely spreads by SMS or via malicious URLs. (Citation: ESET-Twitoor)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/software/S0302", "external_id": "S0302" }, { "source_name": "Twitoor", "description": "(Citation: ESET-Twitoor)" }, { "source_name": "ESET-Twitoor", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Twitoor" ], "x_mitre_old_attack_id": "MOB-S0018", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.3" } ] }, "groups": { "additions": [ { "type": "intrusion-set", "id": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-08-24 17:01:55.842000+00:00", "modified": "2020-10-05 20:59:57.694000+00:00", "name": "Chimera", "description": "[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group, targeting the semiconductor industry in Taiwan since at least 2018.(Citation: Cycraft Chimera April 2020)", "aliases": [ "Chimera" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0114", "external_id": "G0114" }, { "source_name": "Cycraft Chimera April 2020", "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.", "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.0" }, { "type": "intrusion-set", "id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-22 19:41:27.845000+00:00", "modified": "2020-10-06 15:32:20.089000+00:00", "name": "GOLD SOUTHFIELD", "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)", "aliases": [ "GOLD SOUTHFIELD" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0115", "external_id": "G0115" }, { "source_name": "Secureworks REvil September 2019", "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" }, { "source_name": "Secureworks GandCrab and REvil September 2019", "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.", "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection" }, { "source_name": "Secureworks GOLD SOUTHFIELD", "description": "Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/gold-southfield" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.0" } ], "major_version_changes": [ { "type": "intrusion-set", "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:48.664000+00:00", "modified": "2020-10-06 23:32:21.793000+00:00", "name": "APT28", "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ", "aliases": [ "APT28", "SNAKEMACKEREL", "Swallowtail", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0007", "external_id": "G0007" }, { "source_name": "APT28", "description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)" }, { "source_name": "SNAKEMACKEREL", "description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)" }, { "source_name": "Swallowtail", "description": "(Citation: Symantec APT28 Oct 2018)" }, { "source_name": "Group 74", "description": "(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "Sednit", "description": "This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT. (Citation: FireEye APT28 January 2017) (Citation: SecureWorks TG-4127) (Citation: Kaspersky Sofacy) (Citation: Ars Technica GRU indictment Jul 2018)" }, { "source_name": "Sofacy", "description": "This designation has been used in reporting both to refer to the threat group and its associated malware. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "Pawn Storm", "description": "(Citation: SecureWorks TG-4127) (Citation: ESET Sednit Part 3)" }, { "source_name": "Fancy Bear", "description": "(Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)" }, { "source_name": "STRONTIUM", "description": "(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) (Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)" }, { "source_name": "Tsar Team", "description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "Threat Group-4127", "description": "(Citation: SecureWorks TG-4127)" }, { "source_name": "TG-4127", "description": "(Citation: SecureWorks TG-4127)" }, { "source_name": "NSA/FBI Drovorub August 2020", "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.", "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" }, { "source_name": "DOJ GRU Indictment Jul 2018", "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.", "url": "https://www.justice.gov/file/1080281/download" }, { "source_name": "Ars Technica GRU indictment Jul 2018", "description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.", "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" }, { "source_name": "Crowdstrike DNC June 2016", "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" }, { "source_name": "FireEye APT28", "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" }, { "source_name": "SecureWorks TG-4127", "description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.", "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" }, { "source_name": "FireEye APT28 January 2017", "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" }, { "source_name": "GRIZZLY STEPPE JAR", "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.", "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" }, { "source_name": "Sofacy DealersChoice", "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" }, { "source_name": "Palo Alto Sofacy 06-2018", "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" }, { "source_name": "Symantec APT28 Oct 2018", "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.", "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" }, { "source_name": "ESET Zebrocy May 2019", "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.", "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" }, { "source_name": "US District Court Indictment GRU Oct 2018", "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", "url": "https://www.justice.gov/opa/page/file/1098481/download" }, { "source_name": "Kaspersky Sofacy", "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" }, { "source_name": "ESET Sednit Part 3", "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" }, { "source_name": "Talos Seduploader Oct 2017", "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.", "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" }, { "source_name": "Securelist Sofacy Feb 2018", "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.", "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" }, { "source_name": "Accenture SNAKEMACKEREL Nov 2018", "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.", "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" }, { "source_name": "Microsoft STRONTIUM Aug 2019", "description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.", "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" }, { "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.", "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "S\u00e9bastien Ruel, CGI", "Drew Church, Splunk", "Emily Ratliff, IBM", "Richard Gold, Digital Shadows" ], "x_mitre_version": "3.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-06 23:32:21.793000+00:00\", \"old_value\": \"2020-03-30 15:28:00.965000+00:00\"}, \"root['description']\": {\"new_value\": \"[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\\n\\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). \", \"old_value\": \"[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\\n+[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\\n+\\n+[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). \"}, \"root['external_references'][9]['description']\": {\"new_value\": \"(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) (Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)\", \"old_value\": \"(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019)\"}, \"root['external_references'][13]['source_name']\": {\"new_value\": \"NSA/FBI Drovorub August 2020\", \"old_value\": \"DOJ GRU Indictment Jul 2018\"}, \"root['external_references'][13]['description']\": {\"new_value\": \"NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.\", \"old_value\": \"Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.\"}, \"root['external_references'][13]['url']\": {\"new_value\": \"https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF\", \"old_value\": \"https://www.justice.gov/file/1080281/download\"}, \"root['external_references'][14]['source_name']\": {\"new_value\": \"DOJ GRU Indictment Jul 2018\", \"old_value\": \"Ars Technica GRU indictment Jul 2018\"}, \"root['external_references'][14]['description']\": {\"new_value\": \"Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.\", \"old_value\": \"Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.\"}, \"root['external_references'][14]['url']\": {\"new_value\": \"https://www.justice.gov/file/1080281/download\", \"old_value\": \"https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\"}, \"root['external_references'][15]['source_name']\": {\"new_value\": \"Ars Technica GRU indictment Jul 2018\", \"old_value\": \"Crowdstrike DNC June 2016\"}, \"root['external_references'][15]['description']\": {\"new_value\": \"Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.\", \"old_value\": \"Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.\"}, \"root['external_references'][15]['url']\": {\"new_value\": \"https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\", \"old_value\": \"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\"}, \"root['external_references'][16]['source_name']\": {\"new_value\": \"Crowdstrike DNC June 2016\", \"old_value\": \"FireEye APT28\"}, \"root['external_references'][16]['description']\": {\"new_value\": \"Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.\", \"old_value\": \"FireEye. (2015). APT28: A WINDOW INTO RUSSIA\\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.\"}, \"root['external_references'][16]['url']\": {\"new_value\": \"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\", \"old_value\": \"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf\"}, \"root['external_references'][17]['source_name']\": {\"new_value\": \"FireEye APT28\", \"old_value\": \"SecureWorks TG-4127\"}, \"root['external_references'][17]['description']\": {\"new_value\": \"FireEye. (2015). APT28: A WINDOW INTO RUSSIA\\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.\", \"old_value\": \"SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.\"}, \"root['external_references'][17]['url']\": {\"new_value\": \"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf\", \"old_value\": \"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign\"}, \"root['external_references'][18]['source_name']\": {\"new_value\": \"SecureWorks TG-4127\", \"old_value\": \"FireEye APT28 January 2017\"}, \"root['external_references'][18]['description']\": {\"new_value\": \"SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.\", \"old_value\": \"FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.\"}, \"root['external_references'][18]['url']\": {\"new_value\": \"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign\", \"old_value\": \"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf\"}, \"root['external_references'][19]['source_name']\": {\"new_value\": \"FireEye APT28 January 2017\", \"old_value\": \"GRIZZLY STEPPE JAR\"}, \"root['external_references'][19]['description']\": {\"new_value\": \"FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.\", \"old_value\": \"Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \\u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.\"}, \"root['external_references'][19]['url']\": {\"new_value\": \"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf\", \"old_value\": \"https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf\"}, \"root['external_references'][20]['source_name']\": {\"new_value\": \"GRIZZLY STEPPE JAR\", \"old_value\": \"Sofacy DealersChoice\"}, \"root['external_references'][20]['description']\": {\"new_value\": \"Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \\u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.\", \"old_value\": \"Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.\"}, \"root['external_references'][20]['url']\": {\"new_value\": \"https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf\", \"old_value\": \"https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/\"}, \"root['external_references'][21]['source_name']\": {\"new_value\": \"Sofacy DealersChoice\", \"old_value\": \"Palo Alto Sofacy 06-2018\"}, \"root['external_references'][21]['description']\": {\"new_value\": \"Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.\", \"old_value\": \"Lee, B., Falcone, R. (2018, June 06). Sofacy Group\\u2019s Parallel Attacks. Retrieved June 18, 2018.\"}, \"root['external_references'][21]['url']\": {\"new_value\": \"https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/\", \"old_value\": \"https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\"}, \"root['external_references'][22]['source_name']\": {\"new_value\": \"Palo Alto Sofacy 06-2018\", \"old_value\": \"Symantec APT28 Oct 2018\"}, \"root['external_references'][22]['description']\": {\"new_value\": \"Lee, B., Falcone, R. (2018, June 06). Sofacy Group\\u2019s Parallel Attacks. Retrieved June 18, 2018.\", \"old_value\": \"Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.\"}, \"root['external_references'][22]['url']\": {\"new_value\": \"https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\", \"old_value\": \"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government\"}, \"root['external_references'][23]['source_name']\": {\"new_value\": \"Symantec APT28 Oct 2018\", \"old_value\": \"ESET Zebrocy May 2019\"}, \"root['external_references'][23]['description']\": {\"new_value\": \"Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.\", \"old_value\": \"ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.\"}, \"root['external_references'][23]['url']\": {\"new_value\": \"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government\", \"old_value\": \"https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/\"}, \"root['external_references'][24]['source_name']\": {\"new_value\": \"ESET Zebrocy May 2019\", \"old_value\": \"Kaspersky Sofacy\"}, \"root['external_references'][24]['description']\": {\"new_value\": \"ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.\", \"old_value\": \"Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.\"}, \"root['external_references'][24]['url']\": {\"new_value\": \"https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/\", \"old_value\": \"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/\"}, \"root['external_references'][25]['source_name']\": {\"new_value\": \"US District Court Indictment GRU Oct 2018\", \"old_value\": \"ESET Sednit Part 3\"}, \"root['external_references'][25]['description']\": {\"new_value\": \"Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.\", \"old_value\": \"ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.\"}, \"root['external_references'][25]['url']\": {\"new_value\": \"https://www.justice.gov/opa/page/file/1098481/download\", \"old_value\": \"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf\"}, \"root['external_references'][26]['source_name']\": {\"new_value\": \"Kaspersky Sofacy\", \"old_value\": \"Talos Seduploader Oct 2017\"}, \"root['external_references'][26]['description']\": {\"new_value\": \"Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.\", \"old_value\": \"Mercer, W., et al. (2017, October 22). \\\"Cyber Conflict\\\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.\"}, \"root['external_references'][26]['url']\": {\"new_value\": \"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/\", \"old_value\": \"https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\"}, \"root['external_references'][27]['source_name']\": {\"new_value\": \"ESET Sednit Part 3\", \"old_value\": \"Securelist Sofacy Feb 2018\"}, \"root['external_references'][27]['description']\": {\"new_value\": \"ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.\", \"old_value\": \"Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.\"}, \"root['external_references'][27]['url']\": {\"new_value\": \"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf\", \"old_value\": \"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/\"}, \"root['external_references'][28]['source_name']\": {\"new_value\": \"Talos Seduploader Oct 2017\", \"old_value\": \"Accenture SNAKEMACKEREL Nov 2018\"}, \"root['external_references'][28]['description']\": {\"new_value\": \"Mercer, W., et al. (2017, October 22). \\\"Cyber Conflict\\\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.\", \"old_value\": \"Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.\"}, \"root['external_references'][28]['url']\": {\"new_value\": \"https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\", \"old_value\": \"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50\"}, \"root['external_references'][29]['source_name']\": {\"new_value\": \"Securelist Sofacy Feb 2018\", \"old_value\": \"Microsoft STRONTIUM Aug 2019\"}, \"root['external_references'][29]['description']\": {\"new_value\": \"Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.\", \"old_value\": \"MSRC Team. (2019, August 5). Corporate IoT \\u2013 a path to intrusion. Retrieved August 16, 2019.\"}, \"root['external_references'][29]['url']\": {\"new_value\": \"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/\", \"old_value\": \"https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.3\"}}, \"iterable_item_added\": {\"root['external_references'][30]\": {\"source_name\": \"Accenture SNAKEMACKEREL Nov 2018\", \"description\": \"Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.\", \"url\": \"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50\"}, \"root['external_references'][31]\": {\"source_name\": \"Microsoft STRONTIUM Aug 2019\", \"description\": \"MSRC Team. (2019, August 5). Corporate IoT \\u2013 a path to intrusion. Retrieved August 16, 2019.\", \"url\": \"https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/\"}, \"root['external_references'][32]\": {\"source_name\": \"Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020\", \"description\": \"Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.\", \"url\": \"https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/\"}, \"root['x_mitre_contributors'][0]\": \"S\\u00e9bastien Ruel, CGI\"}}", "previous_version": "2.3", "version_change": "2.3 \u2192 3.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[APT28](https://attack.mitre.org/groups/G0007) is a threat gt1[APT28](https://attack.mitre.org/groups/G0007) is a threat g
>roup that has been attributed to Russia's Main Intelligence >roup that has been attributed to Russia's General Staff Main
>Directorate of the Russian General Staff by a July 2018 U.S.> Intelligence Directorate (GRU) 85th Main Special Service Ce
> Department of Justice indictment. This group reportedly com>nter (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub
>promised the Hillary Clinton campaign, the Democratic Nation> August 2020) This group has been active since at least 2004
>al Committee, and the Democratic Congressional Campaign Comm>.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Tech
>ittee in 2016 in an attempt to interfere with the U.S. presi>nica GRU indictment Jul 2018) (Citation: Crowdstrike DNC Jun
>dential election. [APT28](https://attack.mitre.org/groups/G0>e 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-
>007) has been active since at least 2004.(Citation: DOJ GRU >4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZ
>Indictment Jul 2018) (Citation: Ars Technica GRU indictment >ZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: 
>Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: F>Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018
>ireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Fir>) (Citation: ESET Zebrocy May 2019)  [APT28](https://attack.
>eEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Cit>mitre.org/groups/G0007) reportedly compromised the Hillary C
>ation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06->linton campaign, the Democratic National Committee, and the 
>2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Ze>Democratic Congressional Campaign Committee in 2016 in an at
>brocy May 2019)>tempt to interfere with the U.S. presidential election. (Cit
 >ation: Crowdstrike DNC June 2016) In 2018, the US indicted f
 >ive GRU Unit 26165 officers associated with [APT28](https://
 >attack.mitre.org/groups/G0007) for cyber operations (includi
 >ng close-access operations) conducted between 2014 and 2018 
 >against the World Anti-Doping Agency (WADA), the US Anti-Dop
 >ing Agency, a US nuclear facility, the Organization for the 
 >Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chem
 >icals Laboratory, and other organizations.(Citation: US Dist
 >rict Court Indictment GRU Oct 2018) Some of these were condu
 >cted with the assistance of GRU Unit 74455, which is also re
 >ferred to as [Sandworm Team](https://attack.mitre.org/groups
 >/G0034). 
" }, { "type": "intrusion-set", "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:05.217000+00:00", "modified": "2020-10-14 22:42:00.531000+00:00", "name": "Dragonfly", "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)\n\nA similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", "aliases": [ "Dragonfly", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0035", "external_id": "G0035" }, { "source_name": "Dragonfly", "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)" }, { "source_name": "TG-4192", "description": "(Citation: Secureworks IRON LIBERTY July 2019)" }, { "source_name": "Crouching Yeti", "description": "(Citation: Secureworks IRON LIBERTY July 2019)" }, { "source_name": "IRON LIBERTY", "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)" }, { "source_name": "Energetic Bear", "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)" }, { "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" }, { "source_name": "Secureworks IRON LIBERTY July 2019", "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.", "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" }, { "source_name": "Symantec Dragonfly Sept 2017", "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" }, { "source_name": "Fortune Dragonfly 2.0 Sept 2017", "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/" }, { "source_name": "Dragos DYMALLOY ", "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", "url": "https://www.dragos.com/threat/dymalloy/" }, { "source_name": "Secureworks MCMD July 2019", "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", "url": "https://www.secureworks.com/research/mcmd-malware-analysis" }, { "source_name": "Secureworks Karagany July 2019", "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.", "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "2.0", "detailed_diff": "{\"dictionary_item_removed\": {\"root['external_references'][3]['url']\": \"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf\", \"root['external_references'][4]['url']\": \"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group\", \"root['external_references'][5]['url']\": \"http://fortune.com/2017/09/06/hack-energy-grid-symantec/\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-14 22:42:00.531000+00:00\", \"old_value\": \"2019-03-22 20:11:04.628000+00:00\"}, \"root['description']\": {\"new_value\": \"[Dragonfly](https://attack.mitre.org/groups/G0035) Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)\\n\\nA similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )\", \"old_value\": \"[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)\\n\\nA similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)\\n+[Dragonfly](https://attack.mitre.org/groups/G0035) Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)\\n \\n-A similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)\\n+A similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)\", \"old_value\": \"(Citation: Symantec Dragonfly)\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"TG-4192\", \"old_value\": \"Energetic Bear\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"(Citation: Secureworks IRON LIBERTY July 2019)\", \"old_value\": \"(Citation: Symantec Dragonfly)\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Crouching Yeti\", \"old_value\": \"Symantec Dragonfly\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"(Citation: Secureworks IRON LIBERTY July 2019)\", \"old_value\": \"Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"IRON LIBERTY\", \"old_value\": \"Symantec Dragonfly Sept 2017\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)\", \"old_value\": \"Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"Energetic Bear\", \"old_value\": \"Fortune Dragonfly 2.0 Sept 2017\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)\", \"old_value\": \"Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['aliases'][1]\": \"TG-4192\", \"root['aliases'][2]\": \"Crouching Yeti\", \"root['aliases'][3]\": \"IRON LIBERTY\", \"root['external_references'][6]\": {\"source_name\": \"Symantec Dragonfly\", \"description\": \"Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.\", \"url\": \"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf\"}, \"root['external_references'][7]\": {\"source_name\": \"Secureworks IRON LIBERTY July 2019\", \"description\": \"Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.\", \"url\": \"https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector\"}, \"root['external_references'][8]\": {\"source_name\": \"Symantec Dragonfly Sept 2017\", \"description\": \"Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.\", \"url\": \"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group\"}, \"root['external_references'][9]\": {\"source_name\": \"Fortune Dragonfly 2.0 Sept 2017\", \"description\": \"Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.\", \"url\": \"http://fortune.com/2017/09/06/hack-energy-grid-symantec/\"}, \"root['external_references'][10]\": {\"source_name\": \"Dragos DYMALLOY \", \"description\": \"Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.\", \"url\": \"https://www.dragos.com/threat/dymalloy/\"}, \"root['external_references'][11]\": {\"source_name\": \"Secureworks MCMD July 2019\", \"description\": \"Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.\", \"url\": \"https://www.secureworks.com/research/mcmd-malware-analysis\"}, \"root['external_references'][12]\": {\"source_name\": \"Secureworks Karagany July 2019\", \"description\": \"Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.\", \"url\": \"https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[Dragonfly](https://attack.mitre.org/groups/G0035) is a cybet1[Dragonfly](https://attack.mitre.org/groups/G0035) Dragonfly
>r espionage group that has been active since at least 2011. > is a cyber espionage group that has been active since at le
>They initially targeted defense and aviation companies but s>ast 2011. They initially targeted defense and aviation compa
>hifted to focus on the energy sector in early 2013. They hav>nies but shifted to focus on the energy sector in early 2013
>e also targeted companies related to industrial control syst>. They have also targeted companies related to industrial co
>ems. (Citation: Symantec Dragonfly)  A similar group emerged>ntrol systems. (Citation: Symantec Dragonfly)(Citation: Secu
> in 2015 and was identified by Symantec as [Dragonfly 2.0](h>reworks IRON LIBERTY July 2019)  A similar group emerged in 
>ttps://attack.mitre.org/groups/G0074). There is debate over >2015 and was identified by Symantec as [Dragonfly 2.0](https
>the extent of the overlap between [Dragonfly](https://attack>://attack.mitre.org/groups/G0074). There is debate over the 
>.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.>extent of the overlap between [Dragonfly](https://attack.mit
>mitre.org/groups/G0074), but there is sufficient evidence to>re.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitr
> lead to these being tracked as two separate groups. (Citati>e.org/groups/G0074), but there is sufficient evidence to lea
>on: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonf>d to these being tracked as two separate groups. (Citation: 
>ly 2.0 Sept 2017)>Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.
 >0 Sept 2017)(Citation: Dragos DYMALLOY )
" }, { "type": "intrusion-set", "id": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:06.015000+00:00", "modified": "2020-10-21 00:44:24.198000+00:00", "name": "FIN6", "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", "aliases": [ "FIN6", "Magecart Group 6", "SKELETON SPIDER", "ITG08" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0037", "external_id": "G0037" }, { "source_name": "FIN6", "description": "(Citation: FireEye FIN6 April 2016)" }, { "source_name": "Magecart Group 6", "description": "(Citation: Security Intelligence ITG08 April 2020)" }, { "source_name": "SKELETON SPIDER", "description": "(Citation: Crowdstrike Global Threat Report Feb 2018)" }, { "source_name": "ITG08", "description": "(Citation: Security Intelligence More Eggs Aug 2019)" }, { "source_name": "FireEye FIN6 April 2016", "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" }, { "source_name": "FireEye FIN6 Apr 2019", "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" }, { "source_name": "Security Intelligence ITG08 April 2020", "description": "Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.", "url": "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/" }, { "source_name": "Crowdstrike Global Threat Report Feb 2018", "description": "CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.", "url": "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report" }, { "source_name": "Security Intelligence More Eggs Aug 2019", "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.", "url": "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)", "Drew Church, Splunk" ], "x_mitre_version": "3.0", "detailed_diff": "{\"dictionary_item_removed\": {\"root['external_references'][3]['url']\": \"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf\", \"root['external_references'][4]['url']\": \"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 00:44:24.198000+00:00\", \"old_value\": \"2020-05-15 19:15:35.233000+00:00\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Magecart Group 6\", \"old_value\": \"ITG08\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"(Citation: Security Intelligence ITG08 April 2020)\", \"old_value\": \"(Citation: Security Intelligence More Eggs Aug 2019)\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"SKELETON SPIDER\", \"old_value\": \"FireEye FIN6 April 2016\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"(Citation: Crowdstrike Global Threat Report Feb 2018)\", \"old_value\": \"FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"ITG08\", \"old_value\": \"FireEye FIN6 Apr 2019\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"(Citation: Security Intelligence More Eggs Aug 2019)\", \"old_value\": \"McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"FireEye FIN6 April 2016\", \"old_value\": \"Security Intelligence More Eggs Aug 2019\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.\", \"old_value\": \"Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf\", \"old_value\": \"https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['aliases'][1]\": \"Magecart Group 6\", \"root['aliases'][2]\": \"SKELETON SPIDER\", \"root['external_references'][6]\": {\"source_name\": \"FireEye FIN6 Apr 2019\", \"description\": \"McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.\", \"url\": \"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\"}, \"root['external_references'][7]\": {\"source_name\": \"Security Intelligence ITG08 April 2020\", \"description\": \"Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.\", \"url\": \"https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/\"}, \"root['external_references'][8]\": {\"source_name\": \"Crowdstrike Global Threat Report Feb 2018\", \"description\": \"CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.\", \"url\": \"https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report\"}, \"root['external_references'][9]\": {\"source_name\": \"Security Intelligence More Eggs Aug 2019\", \"description\": \"Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.\", \"url\": \"https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/\"}, \"root['x_mitre_contributors'][0]\": \"Center for Threat-Informed Defense (CTID)\"}}", "previous_version": "2.1", "version_change": "2.1 \u2192 3.0" }, { "type": "intrusion-set", "id": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-01-16 16:13:52.465000+00:00", "modified": "2020-10-22 18:12:48.893000+00:00", "name": "PROMETHIUM", "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)", "aliases": [ "PROMETHIUM", "StrongPity" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0056", "external_id": "G0056" }, { "source_name": "PROMETHIUM", "description": "(Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)" }, { "source_name": "StrongPity", "description": "The name StrongPity has also been used to describe the group and the malware used by the group.(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)" }, { "source_name": "Microsoft NEODYMIUM Dec 2016", "description": "Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.", "url": "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" }, { "source_name": "Microsoft SIR Vol 21", "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" }, { "source_name": "Talos Promethium June 2020", "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" }, { "source_name": "Bitdefender StrongPity June 2020", "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "2.0", "detailed_diff": "{\"dictionary_item_removed\": {\"root['external_references'][2]['url']\": \"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-22 18:12:48.893000+00:00\", \"old_value\": \"2019-03-25 16:47:54.447000+00:00\"}, \"root['description']\": {\"new_value\": \"[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)\", \"old_value\": \"[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group that has been active since at least 2012. The group conducted a campaign in May 2016 and has heavily targeted Turkish victims. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"StrongPity\", \"old_value\": \"Microsoft NEODYMIUM Dec 2016\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"The name StrongPity has also been used to describe the group and the malware used by the group.(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)\", \"old_value\": \"Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Microsoft NEODYMIUM Dec 2016\", \"old_value\": \"Microsoft SIR Vol 21\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.\", \"old_value\": \"Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/\", \"old_value\": \"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['aliases'][1]\": \"StrongPity\", \"root['external_references'][4]\": {\"source_name\": \"Microsoft SIR Vol 21\", \"description\": \"Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.\", \"url\": \"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf\"}, \"root['external_references'][5]\": {\"source_name\": \"Talos Promethium June 2020\", \"description\": \"Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.\", \"url\": \"https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\"}, \"root['external_references'][6]\": {\"source_name\": \"Bitdefender StrongPity June 2020\", \"description\": \"Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.\", \"url\": \"https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an act1[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an ac
>tivity group that has been active since at least 2012. The g>tivity group focused on espionage that has been active since
>roup conducted a campaign in Ma2016 and has heaviltarget> at least 2012. The group has conducted operations globall
>ed Turkish victims. [PROMETHIUM](https://attack.mitre.org/gr>with a heavy emphasis on Turkish targets. [PROMETHIUM](https
>oups/G0056) has demonstrated similarity to another activity >://attack.mitre.org/groups/G0056) has demonstrated similarit
>group called [NEODYMIUM](https://attack.mitre.org/groups/G00>y to another activity group called [NEODYMIUM](https://attac
>55) due to overlapping victim and campaign characteristics. >k.mitre.org/groups/G0055) due to overlapping victim and camp
>(Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsof>aign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016
>t SIR Vol 21)>)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium
 > June 2020)
" } ], "minor_version_changes": [ { "type": "intrusion-set", "id": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:47.955000+00:00", "modified": "2020-10-22 18:35:55.290000+00:00", "name": "APT1", "description": "[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0006", "external_id": "G0006" }, { "source_name": "APT1", "description": "(Citation: Mandiant APT1)" }, { "source_name": "Comment Crew", "description": "(Citation: Mandiant APT1)" }, { "source_name": "Comment Group", "description": "(Citation: Mandiant APT1)" }, { "source_name": "Comment Panda", "description": "(Citation: CrowdStrike Putter Panda)" }, { "source_name": "Mandiant APT1", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" }, { "source_name": "CrowdStrike Putter Panda", "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.3", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-22 18:35:55.290000+00:00\", \"old_value\": \"2020-03-30 01:45:32.007000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", "previous_version": "1.2", "version_change": "1.2 \u2192 1.3" }, { "type": "intrusion-set", "id": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:56.270000+00:00", "modified": "2020-10-12 19:54:58.537000+00:00", "name": "APT16", "description": "[APT16](https://attack.mitre.org/groups/G0023) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)", "aliases": [ "APT16" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0023", "external_id": "G0023" }, { "source_name": "APT16", "description": "(Citation: FireEye EPS Awakens Part 2)" }, { "source_name": "FireEye EPS Awakens Part 2", "description": "Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-12 19:54:58.537000+00:00\", \"old_value\": \"2019-03-22 14:20:45.561000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1" }, { "type": "intrusion-set", "id": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:57.307000+00:00", "modified": "2020-10-13 22:33:14.018000+00:00", "name": "APT17", "description": "[APT17](https://attack.mitre.org/groups/G0025) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)", "aliases": [ "APT17", "Deputy Dog" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0025", "external_id": "G0025" }, { "source_name": "APT17", "description": "(Citation: FireEye APT17)" }, { "source_name": "Deputy Dog", "description": "(Citation: FireEye APT17)" }, { "source_name": "FireEye APT17", "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-13 22:33:14.018000+00:00\", \"old_value\": \"2019-03-22 14:21:19.419000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1" }, { "type": "intrusion-set", "id": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:52.748000+00:00", "modified": "2020-10-22 19:06:15.392000+00:00", "name": "APT29", "description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)", "aliases": [ "APT29", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0016", "external_id": "G0016" }, { "source_name": "APT29", "description": "(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)" }, { "source_name": "YTTRIUM", "description": "(Citation: Microsoft Unidentified Dec 2018)" }, { "source_name": "The Dukes", "description": "(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)" }, { "source_name": "Cozy Bear", "description": "(Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)" }, { "source_name": "CozyDuke", "description": "(Citation: Crowdstrike DNC June 2016)" }, { "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" }, { "source_name": "GRIZZLY STEPPE JAR", "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.", "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" }, { "source_name": "Crowdstrike DNC June 2016", "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" }, { "source_name": "FireEye APT29 Nov 2018", "description": "Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" }, { "source_name": "ESET Dukes October 2019", "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" }, { "source_name": "NCSC APT29 July 2020", "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.", "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" }, { "source_name": "Microsoft Unidentified Dec 2018", "description": "Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.", "url": "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.4", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-22 19:06:15.392000+00:00\", \"old_value\": \"2020-03-30 18:48:05.505000+00:00\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)\", \"old_value\": \"(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)\", \"old_value\": \"(Citation: F-Secure The Dukes)\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"(Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)\", \"old_value\": \"(Citation: Crowdstrike DNC June 2016)\"}, \"root['external_references'][10]['source_name']\": {\"new_value\": \"ESET Dukes October 2019\", \"old_value\": \"Microsoft Unidentified Dec 2018\"}, \"root['external_references'][10]['description']\": {\"new_value\": \"Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.\", \"old_value\": \"Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.\"}, \"root['external_references'][10]['url']\": {\"new_value\": \"https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf\", \"old_value\": \"https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][11]\": {\"source_name\": \"NCSC APT29 July 2020\", \"description\": \"National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.\", \"url\": \"https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf\"}, \"root['external_references'][12]\": {\"source_name\": \"Microsoft Unidentified Dec 2018\", \"description\": \"Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.\", \"url\": \"https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\"}}}", "previous_version": "1.3", "version_change": "1.3 \u2192 1.4" }, { "type": "intrusion-set", "id": "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:51.026000+00:00", "modified": "2020-07-29 19:34:28.999000+00:00", "name": "APT30", "description": "[APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: FireEye APT30)(Citation: Baumgartner Golovkin Naikon 2015)", "aliases": [ "APT30" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0013", "external_id": "G0013" }, { "source_name": "APT30", "description": "(Citation: FireEye APT30) (Citation: Baumgartner Golovkin Naikon 2015)" }, { "source_name": "FireEye APT30", "description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.", "url": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" }, { "source_name": "Baumgartner Golovkin Naikon 2015", "description": "Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.", "url": "https://securelist.com/the-naikon-apt/69953/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-07-29 19:34:28.999000+00:00\", \"old_value\": \"2019-03-22 18:44:28.439000+00:00\"}, \"root['description']\": {\"new_value\": \"[APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: FireEye APT30)(Citation: Baumgartner Golovkin Naikon 2015)\", \"old_value\": \"[APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. (Citation: FireEye APT30) While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[APT30](https://attack.mitre.org/groups/G0013) is a threat gt1[APT30](https://attack.mitre.org/groups/G0013) is a threat g
>roup suspected to be associated with the Chinese government.>roup suspected to be associated with the Chinese government.
> (Citation: FireEye APT30) While [Naikon](https://attack.mit> While [Naikon](https://attack.mitre.org/groups/G0019) share
>re.org/groups/G0019) shares some characteristics with [APT30>s some characteristics with [APT30](https://attack.mitre.org
>](https://attack.mitre.org/groups/G0013), the two groups do >/groups/G0013), the two groups do not appear to be exact mat
>not appear to be exact matches. (Citation: Baumgartner Golov>ches.(Citation: FireEye APT30)(Citation: Baumgartner Golovki
>kin Naikon 2015)>n Naikon 2015)
" }, { "type": "intrusion-set", "id": "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18 17:59:24.739000+00:00", "modified": "2020-10-21 18:55:20.925000+00:00", "name": "APT37", "description": "[APT37](https://attack.mitre.org/groups/G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016) (Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", "aliases": [ "APT37", "ScarCruft", "Reaper", "Group123", "TEMP.Reaper" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0067", "external_id": "G0067" }, { "source_name": "APT37", "description": "(Citation: FireEye APT37 Feb 2018)" }, { "source_name": "ScarCruft", "description": "(Citation: Securelist ScarCruft Jun 2016) (Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft May 2019)" }, { "source_name": "Reaper", "description": "(Citation: FireEye APT37 Feb 2018)" }, { "source_name": "Group123", "description": "(Citation: FireEye APT37 Feb 2018)" }, { "source_name": "TEMP.Reaper", "description": "(Citation: FireEye APT37 Feb 2018)" }, { "source_name": "FireEye APT37 Feb 2018", "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" }, { "source_name": "Securelist ScarCruft Jun 2016", "description": "Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.", "url": "https://securelist.com/operation-daybreak/75100/" }, { "source_name": "Talos Group123", "description": "Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.", "url": "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" }, { "source_name": "US-CERT HIDDEN COBRA June 2017", "description": "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA \u2013 North Korea\u2019s DDoS Botnet Infrastructure. Retrieved July 13, 2017.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A" }, { "source_name": "Kaspersky Lazarus Under The Hood Blog 2017", "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", "url": "https://securelist.com/lazarus-under-the-hood/77908/" }, { "source_name": "Securelist ScarCruft May 2019", "description": "GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.", "url": "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Valerii Marchuk, Cybersecurity Help s.r.o." ], "x_mitre_version": "1.5", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 18:55:20.925000+00:00\", \"old_value\": \"2020-06-23 19:36:24.680000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", "previous_version": "1.4", "version_change": "1.4 \u2192 1.5" }, { "type": "intrusion-set", "id": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:46.390000+00:00", "modified": "2020-10-15 16:59:26.732000+00:00", "name": "Cleaver", "description": "[Cleaver](https://attack.mitre.org/groups/G0003) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)", "aliases": [ "Cleaver", "Threat Group 2889", "TG-2889" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0003", "external_id": "G0003" }, { "source_name": "Cleaver", "description": "(Citation: Cylance Cleaver)" }, { "source_name": "Threat Group 2889", "description": "(Citation: Dell Threat Group 2889)" }, { "source_name": "TG-2889", "description": "(Citation: Dell Threat Group 2889)" }, { "source_name": "Cylance Cleaver", "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" }, { "source_name": "Dell Threat Group 2889", "description": "Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.", "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-15 16:59:26.732000+00:00\", \"old_value\": \"2020-03-30 18:53:45.117000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2" }, { "type": "intrusion-set", "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17 00:14:20.652000+00:00", "modified": "2020-10-15 20:14:58.980000+00:00", "name": "Dragonfly 2.0", "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0074", "external_id": "G0074" }, { "source_name": "Dragonfly 2.0", "description": "(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)" }, { "source_name": "IRON LIBERTY", "description": "(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)" }, { "source_name": "DYMALLOY", "description": "(Citation: Dragos DYMALLOY )" }, { "source_name": "Berserk Bear", "description": "(Citation: Fortune Dragonfly 2.0 Sept 2017)" }, { "source_name": "US-CERT TA18-074A", "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.", "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A" }, { "source_name": "Symantec Dragonfly Sept 2017", "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" }, { "source_name": "Fortune Dragonfly 2.0 Sept 2017", "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/" }, { "source_name": "Dragos DYMALLOY ", "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", "url": "https://www.dragos.com/threat/dymalloy/" }, { "source_name": "Secureworks MCMD July 2019", "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", "url": "https://www.secureworks.com/research/mcmd-malware-analysis" }, { "source_name": "Secureworks IRON LIBERTY", "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.3", "detailed_diff": "{\"dictionary_item_removed\": {\"root['external_references'][3]['url']\": \"https://www.us-cert.gov/ncas/alerts/TA18-074A\", \"root['external_references'][4]['url']\": \"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-15 20:14:58.980000+00:00\", \"old_value\": \"2020-03-30 02:12:43.818000+00:00\"}, \"root['description']\": {\"new_value\": \"[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )\", \"old_value\": \"[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"IRON LIBERTY\", \"old_value\": \"Berserk Bear\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)\", \"old_value\": \"(Citation: Fortune Dragonfly 2.0 Sept 2017)\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"DYMALLOY\", \"old_value\": \"US-CERT TA18-074A\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"(Citation: Dragos DYMALLOY )\", \"old_value\": \"US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Berserk Bear\", \"old_value\": \"Symantec Dragonfly Sept 2017\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"(Citation: Fortune Dragonfly 2.0 Sept 2017)\", \"old_value\": \"Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"US-CERT TA18-074A\", \"old_value\": \"Fortune Dragonfly 2.0 Sept 2017\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.\", \"old_value\": \"Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://www.us-cert.gov/ncas/alerts/TA18-074A\", \"old_value\": \"http://fortune.com/2017/09/06/hack-energy-grid-symantec/\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['aliases'][1]\": \"IRON LIBERTY\", \"root['aliases'][2]\": \"DYMALLOY\", \"root['external_references'][6]\": {\"source_name\": \"Symantec Dragonfly Sept 2017\", \"description\": \"Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.\", \"url\": \"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group\"}, \"root['external_references'][7]\": {\"source_name\": \"Fortune Dragonfly 2.0 Sept 2017\", \"description\": \"Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.\", \"url\": \"http://fortune.com/2017/09/06/hack-energy-grid-symantec/\"}, \"root['external_references'][8]\": {\"source_name\": \"Dragos DYMALLOY \", \"description\": \"Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.\", \"url\": \"https://www.dragos.com/threat/dymalloy/\"}, \"root['external_references'][9]\": {\"source_name\": \"Secureworks MCMD July 2019\", \"description\": \"Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.\", \"url\": \"https://www.secureworks.com/research/mcmd-malware-analysis\"}, \"root['external_references'][10]\": {\"source_name\": \"Secureworks IRON LIBERTY\", \"description\": \"Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020.\", \"url\": \"https://www.secureworks.com/research/threat-profiles/iron-liberty\"}}}", "previous_version": "1.2", "version_change": "1.2 \u2192 1.3", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a t1[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a 
>suspected Russian group that has targeted government entitie>suspected Russian group that has targeted government entitie
>s and multiple U.S. critical infrastructure sectors since at>s and multiple U.S. critical infrastructure sectors since at
> least March 2016. (Citation: US-CERT TA18-074A) (Citation: > least March 2016. (Citation: US-CERT TA18-074A) (Citation: 
>Symantec Dragonfly Sept 2017) There is debate over the exten>Symantec Dragonfly Sept 2017) There is debate over the exten
>t of overlap between [Dragonfly 2.0](https://attack.mitre.or>t of overlap between [Dragonfly 2.0](https://attack.mitre.or
>g/groups/G0074) and [Dragonfly](https://attack.mitre.org/gro>g/groups/G0074) and [Dragonfly](https://attack.mitre.org/gro
>ups/G0035), but there is sufficient evidence to lead to thes>ups/G0035), but there is sufficient evidence to lead to thes
>e being tracked as two separate groups. (Citation: Fortune D>e being tracked as two separate groups. (Citation: Fortune D
>ragonfly 2.0 Sept 2017)>ragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )
" }, { "type": "intrusion-set", "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:09.460000+00:00", "modified": "2020-10-22 18:47:28.215000+00:00", "name": "FIN7", "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. [FIN7](https://attack.mitre.org/groups/G0046) is sometimes referred to as [Carbanak](https://attack.mitre.org/groups/G0008) Group, but these appear to be two groups using the same [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately. (Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: FireEye CARBANAK June 2017) (Citation: FireEye FIN7 Aug 2018)", "aliases": [ "FIN7" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0046", "external_id": "G0046" }, { "source_name": "FIN7", "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)" }, { "source_name": "FireEye FIN7 March 2017", "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" }, { "source_name": "FireEye FIN7 April 2017", "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" }, { "source_name": "FireEye CARBANAK June 2017", "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" }, { "source_name": "FireEye FIN7 Aug 2018", "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" }, { "source_name": "Morphisec FIN7 June 2017", "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.", "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry" }, { "source_name": "FireEye FIN7 Shim Databases", "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.5", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-22 18:47:28.215000+00:00\", \"old_value\": \"2020-06-24 19:07:46.524000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", "previous_version": "1.4", "version_change": "1.4 \u2192 1.5" }, { "type": "intrusion-set", "id": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:09.849000+00:00", "modified": "2020-08-31 15:10:22.189000+00:00", "name": "Gamaredon Group", "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) comes from a misspelling of the word \"Armageddon\", which was detected in the adversary's early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)", "aliases": [ "Gamaredon Group" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0047", "external_id": "G0047" }, { "source_name": "Gamaredon Group", "description": "(Citation: Palo Alto Gamaredon Feb 2017)" }, { "source_name": "Palo Alto Gamaredon Feb 2017", "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" }, { "source_name": "TrendMicro Gamaredon April 2020", "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/" }, { "source_name": "ESET Gamaredon June 2020", "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.", "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "ESET", "Trend Micro Incorporated" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-31 15:10:22.189000+00:00\", \"old_value\": \"2020-06-25 20:56:02.454000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][0]\": \"ESET\"}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2" }, { "type": "intrusion-set", "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:03.807000+00:00", "modified": "2020-10-02 16:21:21.624000+00:00", "name": "Lazarus Group", "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a threat group that has been attributed to the North Korean government.(Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster) In late 2017, [Lazarus Group](https://attack.mitre.org/groups/G0032) used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. (Citation: Lazarus KillDisk)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", "aliases": [ "Lazarus Group", "HIDDEN COBRA", "Guardians of Peace", "ZINC", "NICKEL ACADEMY" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0032", "external_id": "G0032" }, { "source_name": "Lazarus Group", "description": "(Citation: Novetta Blockbuster)" }, { "source_name": "HIDDEN COBRA", "description": "The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)" }, { "source_name": "Guardians of Peace", "description": "(Citation: US-CERT HIDDEN COBRA June 2017)" }, { "source_name": "ZINC", "description": "(Citation: Microsoft ZINC disruption Dec 2017)" }, { "source_name": "NICKEL ACADEMY", "description": "(Citation: Secureworks NICKEL ACADEMY Dec 2017)" }, { "source_name": "US-CERT HIDDEN COBRA June 2017", "description": "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA \u2013 North Korea\u2019s DDoS Botnet Infrastructure. Retrieved July 13, 2017.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A" }, { "source_name": "Novetta Blockbuster", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.", "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" }, { "source_name": "Lazarus KillDisk", "description": "K\u00e1lnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", "url": "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" }, { "source_name": "Kaspersky Lazarus Under The Hood Blog 2017", "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", "url": "https://securelist.com/lazarus-under-the-hood/77908/" }, { "source_name": "US-CERT HOPLIGHT Apr 2019", "description": "US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.", "url": "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" }, { "source_name": "Microsoft ZINC disruption Dec 2017", "description": "Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.", "url": "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/" }, { "source_name": "Secureworks NICKEL ACADEMY Dec 2017", "description": "Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.", "url": "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.4", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-02 16:21:21.624000+00:00\", \"old_value\": \"2020-05-06 19:32:13.572000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", "previous_version": "1.3", "version_change": "1.3 \u2192 1.4" }, { "type": "intrusion-set", "id": "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-09-13 12:37:10.394000+00:00", "modified": "2020-09-22 16:46:45.662000+00:00", "name": "Machete", "description": "[Machete](https://attack.mitre.org/groups/G0095) is a group that has been active since at least 2010, targeting high-profile government entities in Latin American countries.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)", "aliases": [ "Machete", "El Machete" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0095", "external_id": "G0095" }, { "source_name": "Machete", "description": "(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)" }, { "source_name": "El Machete", "description": "(Citation: Cylance Machete Mar 2017)" }, { "source_name": "Cylance Machete Mar 2017", "description": "The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.", "url": "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" }, { "source_name": "Securelist Machete Aug 2014", "description": "Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.", "url": "https://securelist.com/el-machete/66108/" }, { "source_name": "ESET Machete July 2019", "description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Matias Nicolas Porolli, ESET" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-22 16:46:45.662000+00:00\", \"old_value\": \"2020-03-28 21:28:33.395000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2" }, { "type": "intrusion-set", "id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-04-18 17:59:24.739000+00:00", "modified": "2020-07-29 21:27:47.641000+00:00", "name": "MuddyWater", "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to [FIN7](https://attack.mitre.org/groups/G0046), but the group is believed to be a distinct group possibly motivated by espionage.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)", "aliases": [ "MuddyWater", "Seedworm", "TEMP.Zagros" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0069", "external_id": "G0069" }, { "source_name": "MuddyWater", "description": "(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)" }, { "source_name": "Seedworm", "description": "(Citation: Symantec MuddyWater Dec 2018)" }, { "source_name": "TEMP.Zagros", "description": "(Citation: FireEye MuddyWater Mar 2018)" }, { "source_name": "Unit 42 MuddyWater Nov 2017", "description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" }, { "source_name": "Symantec MuddyWater Dec 2018", "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.", "url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" }, { "source_name": "ClearSky MuddyWater Nov 2018", "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.", "url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" }, { "source_name": "ClearSky MuddyWater June 2019", "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020.", "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" }, { "source_name": "Reaqta MuddyWater November 2017", "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.", "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" }, { "source_name": "FireEye MuddyWater Mar 2018", "description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "2.3", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-07-29 21:27:47.641000+00:00\", \"old_value\": \"2020-05-29 01:24:36.860000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.3\", \"old_value\": \"2.2\"}}}", "previous_version": "2.2", "version_change": "2.2 \u2192 2.3" }, { "type": "intrusion-set", "id": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:51.643000+00:00", "modified": "2020-10-15 00:54:00.656000+00:00", "name": "Night Dragon", "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)", "aliases": [ "Night Dragon" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0014", "external_id": "G0014" }, { "source_name": "Night Dragon", "description": "(Citation: McAfee Night Dragon)" }, { "source_name": "McAfee Night Dragon", "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", "url": "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.3", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-15 00:54:00.656000+00:00\", \"old_value\": \"2020-03-25 16:05:51.981000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", "previous_version": "1.2", "version_change": "1.2 \u2192 1.3" }, { "type": "intrusion-set", "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14 16:46:06.044000+00:00", "modified": "2020-10-15 23:59:31.684000+00:00", "name": "OilRig", "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.", "aliases": [ "OilRig", "IRN2", "HELIX KITTEN", "APT34" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0049", "external_id": "G0049" }, { "source_name": "OilRig", "description": "(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)" }, { "source_name": "IRN2", "description": "(Citation: Crowdstrike Helix Kitten Nov 2018)" }, { "source_name": "HELIX KITTEN", "description": "(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)" }, { "source_name": "APT34", "description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. (Citation: Unit 42 QUADAGENT July 2018) (Citation: FireEye APT34 Dec 2017)" }, { "source_name": "Palo Alto OilRig April 2017", "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.", "url": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/" }, { "source_name": "ClearSky OilRig Jan 2017", "description": "ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.", "url": "http://www.clearskysec.com/oilrig/" }, { "source_name": "Palo Alto OilRig May 2016", "description": "Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.", "url": "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" }, { "source_name": "Palo Alto OilRig Oct 2016", "description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.", "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" }, { "source_name": "Unit 42 Playbook Dec 2017", "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.", "url": "https://pan-unit42.github.io/playbook_viewer/" }, { "source_name": "FireEye APT34 Dec 2017", "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" }, { "source_name": "Unit 42 QUADAGENT July 2018", "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" }, { "source_name": "Crowdstrike Helix Kitten Nov 2018", "description": "Meyers, A. (2018, November 27). Meet CrowdStrike\u2019s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.", "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Robert Falcone", "Bryan Lee" ], "x_mitre_version": "1.4", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-15 23:59:31.684000+00:00\", \"old_value\": \"2020-07-04 23:23:07.383000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", "previous_version": "1.3", "version_change": "1.3 \u2192 1.4" }, { "type": "intrusion-set", "id": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:07.145000+00:00", "modified": "2020-10-14 20:39:49.350000+00:00", "name": "Patchwork", "description": "[Patchwork](https://attack.mitre.org/groups/G0040) is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018. (Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Volexity Patchwork June 2018)", "aliases": [ "Patchwork", "Hangover Group", "Dropping Elephant", "Chinastrats", "MONSOON", "Operation Hangover" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0040", "external_id": "G0040" }, { "source_name": "Patchwork", "description": "(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)" }, { "source_name": "Hangover Group", "description": "Patchwork and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon)" }, { "source_name": "Dropping Elephant", "description": "(Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)" }, { "source_name": "Chinastrats", "description": "(Citation: Securelist Dropping Elephant)" }, { "source_name": "MONSOON", "description": "MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018)" }, { "source_name": "Operation Hangover", "description": "It is believed that the actors behind Patchwork are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013)" }, { "source_name": "Cymmetria Patchwork", "description": "Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.", "url": "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" }, { "source_name": "Symantec Patchwork", "description": "Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.", "url": "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" }, { "source_name": "TrendMicro Patchwork Dec 2017", "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.", "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" }, { "source_name": "Volexity Patchwork June 2018", "description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.", "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" }, { "source_name": "Securelist Dropping Elephant", "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant \u2013 aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.", "url": "https://securelist.com/the-dropping-elephant-actor/75328/" }, { "source_name": "PaloAlto Patchwork Mar 2018", "description": "Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" }, { "source_name": "Unit 42 BackConfig May 2020", "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.", "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" }, { "source_name": "Forcepoint Monsoon", "description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.", "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" }, { "source_name": "Operation Hangover May 2013", "description": "Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016.", "url": "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.3", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-14 20:39:49.350000+00:00\", \"old_value\": \"2020-07-03 22:15:24.309000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", "previous_version": "1.2", "version_change": "1.2 \u2192 1.3" }, { "type": "intrusion-set", "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-04-16 15:14:38.533000+00:00", "modified": "2020-10-04 23:31:36.937000+00:00", "name": "TEMP.Veles", "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", "aliases": [ "TEMP.Veles", "XENOTIME" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0088", "external_id": "G0088" }, { "source_name": "TEMP.Veles", "description": "(Citation: FireEye TRITON 2019)" }, { "source_name": "XENOTIME", "description": "The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )" }, { "source_name": "FireEye TRITON 2019", "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" }, { "source_name": "FireEye TEMP.Veles 2018", "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html " }, { "source_name": "FireEye TEMP.Veles JSON April 2019", "description": "Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.", "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html" }, { "source_name": "Dragos Xenotime 2018", "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", "url": "https://dragos.com/resource/xenotime/" }, { "source_name": "Pylos Xenotime 2019", "description": "Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.", "url": "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/" }, { "source_name": "FireEye TEMP.Veles 2018 ", "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html " } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-04 23:31:36.937000+00:00\", \"old_value\": \"2020-03-30 20:03:17.358000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2" }, { "type": "intrusion-set", "id": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:49.816000+00:00", "modified": "2020-10-22 20:25:26.398000+00:00", "name": "Turla", "description": "[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)\u2019s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)", "aliases": [ "Turla", "Waterbug", "WhiteBear", "VENOMOUS BEAR", "Snake", "Krypton" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0010", "external_id": "G0010" }, { "source_name": "Turla", "description": "(Citation: Kaspersky Turla)" }, { "source_name": "Waterbug", "description": "Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.(Citation: Symantec Waterbug)" }, { "source_name": "WhiteBear", "description": "WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.(Citation: Securelist WhiteBear Aug 2017)" }, { "source_name": "VENOMOUS BEAR", "description": "(Citation: CrowdStrike VENOMOUS BEAR)" }, { "source_name": "Snake", "description": "(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla PowerShell May 2019)" }, { "source_name": "Krypton", "description": "(Citation: CrowdStrike VENOMOUS BEAR)" }, { "source_name": "Kaspersky Turla", "description": "Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.", "url": "https://securelist.com/the-epic-turla-operation/65545/" }, { "source_name": "ESET Gazer Aug 2017", "description": "ESET. (2017, August). Gazing at Gazer: Turla\u2019s new second stage backdoor. Retrieved September 14, 2017.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" }, { "source_name": "CrowdStrike VENOMOUS BEAR", "description": "Meyers, A. (2018, March 12). Meet CrowdStrike\u2019s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.", "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/" }, { "source_name": "ESET Turla Mosquito Jan 2018", "description": "ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.", "url": "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" }, { "source_name": "Symantec Waterbug", "description": "Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.", "url": "https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1" }, { "source_name": "Securelist WhiteBear Aug 2017", "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.", "url": "https://securelist.com/introducing-whitebear/81638/" }, { "source_name": "ESET Turla PowerShell May 2019", "description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.", "url": "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Matthieu Faou, ESET", "Edward Millington" ], "x_mitre_version": "1.4", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-22 20:25:26.398000+00:00\", \"old_value\": \"2020-07-06 14:49:46.052000+00:00\"}, \"root['description']\": {\"new_value\": \"[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)\\u2019s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)\", \"old_value\": \"[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)\\u2019s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines. (Citation: Kaspersky Turla) (Citation: ESET Gazer Aug 2017) (Citation: CrowdStrike VENOMOUS BEAR) (Citation: ESET Turla Mosquito Jan 2018)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}}", "previous_version": "1.3", "version_change": "1.3 \u2192 1.4", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[Turla](https://attack.mitre.org/groups/G0010) is a Russian-t1[Turla](https://attack.mitre.org/groups/G0010) is a Russian-
>based threat group that has infected victims in over 45 coun>based threat group that has infected victims in over 45 coun
>tries, spanning a range of industries including government, >tries, spanning a range of industries including government, 
>embassies, military, education, research and pharmaceutical >embassies, military, education, research and pharmaceutical 
>companies since 2004. Heightened activity was seen in mid-20>companies since 2004. Heightened activity was seen in mid-20
>15. [Turla](https://attack.mitre.org/groups/G0010) is known >15. [Turla](https://attack.mitre.org/groups/G0010) is known 
>for conducting watering hole and spearphishing campaigns and>for conducting watering hole and spearphishing campaigns and
> leveraging in-house tools and malware. [Turla](https://atta> leveraging in-house tools and malware. [Turla](https://atta
>ck.mitre.org/groups/G0010)\u2019s espionage platform is mainly us>ck.mitre.org/groups/G0010)\u2019s espionage platform is mainly us
>ed against Windows machines, but has also been seen used aga>ed against Windows machines, but has also been seen used aga
>inst macOS and Linux machines. (Citation: Kaspersky Turla) (>inst macOS and Linux machines.(Citation: Kaspersky Turla)(Ci
>Citation: ESET Gazer Aug 2017) (Citation: CrowdStrike VENOMO>tation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS 
>US BEAR) (Citation: ESET Turla Mosquito Jan 2018)>BEAR)(Citation: ESET Turla Mosquito Jan 2018)
" }, { "type": "intrusion-set", "id": "intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:08.682000+00:00", "modified": "2020-08-24 15:01:01.939000+00:00", "name": "Winnti Group", "description": "[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044). (Citation: 401 TRG Winnti Umbrella May 2018)", "aliases": [ "Winnti Group", "Blackfly" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0044", "external_id": "G0044" }, { "source_name": "Winnti Group", "description": "(Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015)" }, { "source_name": "Blackfly", "description": "(Citation: Symantec Suckfly March 2016)" }, { "source_name": "Kaspersky Winnti April 2013", "description": "Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.", "url": "https://securelist.com/winnti-more-than-just-a-game/37029/" }, { "source_name": "Kaspersky Winnti June 2015", "description": "Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.", "url": "https://securelist.com/games-are-over/70991/" }, { "source_name": "Novetta Winnti April 2015", "description": "Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.", "url": "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" }, { "source_name": "401 TRG Winnti Umbrella May 2018", "description": "Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018.", "url": "https://401trg.com/burning-umbrella/" }, { "source_name": "Symantec Suckfly March 2016", "description": "DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.", "url": "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Edward Millington" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-24 15:01:01.939000+00:00\", \"old_value\": \"2020-05-04 22:15:08.418000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1" }, { "type": "intrusion-set", "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-12 18:15:29.396000+00:00", "modified": "2020-08-03 18:57:52.513000+00:00", "name": "Wizard Spider", "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is financially motivated group that has been conducting ransomware campaigns since at least August 2018, primarily targeting large organizations. (Citation: CrowdStrike Ryuk January 2019)", "aliases": [ "Wizard Spider", "TEMP.MixMaster", "Grim Spider" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0102", "external_id": "G0102" }, { "source_name": "TEMP.MixMaster", "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" }, { "source_name": "Grim Spider", "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)" }, { "source_name": "CrowdStrike Ryuk January 2019", "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" }, { "source_name": "FireEye Ryuk and Trickbot January 2019", "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" }, { "source_name": "CrowdStrike Grim Spider May 2019", "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Oleksiy Gayda" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-03 18:57:52.513000+00:00\", \"old_value\": \"2020-06-16 17:30:19.543000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1" }, { "type": "intrusion-set", "id": "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:32:09.054000+00:00", "modified": "2020-08-13 17:15:14.339000+00:00", "name": "menuPass", "description": "[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017) (Citation: DOJ APT10 Dec 2018)", "aliases": [ "menuPass", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0045", "external_id": "G0045" }, { "source_name": "menuPass", "description": "(Citation: Palo Alto menuPass Feb 2017)" }, { "source_name": "Stone Panda", "description": "(Citation: Palo Alto menuPass Feb 2017) (Citation: Accenture Hogfish April 2018)" }, { "source_name": "APT10", "description": "(Citation: Palo Alto menuPass Feb 2017) (Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)" }, { "source_name": "Red Apollo", "description": "(Citation: PWC Cloud Hopper April 2017)" }, { "source_name": "CVNX", "description": "(Citation: PWC Cloud Hopper April 2017)" }, { "source_name": "HOGFISH", "description": "(Citation: Accenture Hogfish April 2018)" }, { "source_name": "Palo Alto menuPass Feb 2017", "description": "Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.", "url": "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" }, { "source_name": "Crowdstrike CrowdCast Oct 2013", "description": "Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017.", "url": "https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" }, { "source_name": "FireEye Poison Ivy", "description": "FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.", "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf" }, { "source_name": "PWC Cloud Hopper April 2017", "description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.", "url": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" }, { "source_name": "FireEye APT10 April 2017", "description": "FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" }, { "source_name": "DOJ APT10 Dec 2018", "description": "United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.", "url": "https://www.justice.gov/opa/press-release/file/1121706/download" }, { "source_name": "Accenture Hogfish April 2018", "description": "Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.", "url": "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" }, { "source_name": "FireEye APT10 Sept 2018", "description": "Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Edward Millington", "Michael Cox" ], "x_mitre_version": "1.5", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-13 17:15:14.339000+00:00\", \"old_value\": \"2020-03-30 02:32:34.960000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}}", "previous_version": "1.4", "version_change": "1.4 \u2192 1.5" } ], "other_version_changes": [ { "type": "intrusion-set", "id": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-02-19 16:01:38.585000+00:00", "modified": "2020-08-11 15:46:26.496000+00:00", "name": "APT39", "description": "[APT39](https://attack.mitre.org/groups/G0087) is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities. (Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)", "aliases": [ "APT39", "Chafer" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0087", "external_id": "G0087" }, { "source_name": "APT39", "description": "(Citation: FireEye APT39 Jan 2019)" }, { "source_name": "Chafer", "description": "Activities associated with APT39 largely align with a group publicly referred to as Chafer.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: Dark Reading APT39 JAN 2019)" }, { "source_name": "FireEye APT39 Jan 2019", "description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" }, { "source_name": "Symantec Chafer Dec 2015", "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.", "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" }, { "source_name": "Dark Reading APT39 JAN 2019", "description": "Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020.", "url": "https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "2.3", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-08-11 15:46:26.496000+00:00\", \"old_value\": \"2020-05-29 20:22:10.625000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.3\", \"old_value\": \"2.1\"}}}", "previous_version": "2.1", "version_change": "2.1 \u2192 2.3" } ], "patches": [ { "type": "intrusion-set", "id": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-05 18:53:08.166000+00:00", "modified": "2020-10-14 14:40:36.467000+00:00", "name": "APT-C-36", "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.(Citation: QiAnXin APT-C-36 Feb2019)", "aliases": [ "APT-C-36", "Blind Eagle" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0099", "external_id": "G0099" }, { "source_name": "Blind Eagle", "description": "(Citation: QiAnXin APT-C-36 Feb2019)" }, { "source_name": "QiAnXin APT-C-36 Feb2019", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.", "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Jose Luis S\u00e1nchez Martinez" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-14 14:40:36.467000+00:00\", \"old_value\": \"2020-05-07 22:53:31.155000+00:00\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\", \"old_value\": \"https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\"}}}", "previous_version": "1.0" }, { "type": "intrusion-set", "id": "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17 00:14:20.652000+00:00", "modified": "2020-07-23 19:48:35.981000+00:00", "name": "Honeybee", "description": "[Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee)", "aliases": [ "Honeybee" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0072", "external_id": "G0072" }, { "source_name": "Honeybee", "description": "(Citation: McAfee Honeybee)" }, { "source_name": "McAfee Honeybee", "description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-07-23 19:48:35.981000+00:00\", \"old_value\": \"2020-04-16 19:41:40.359000+00:00\"}, \"root['description']\": {\"new_value\": \"[Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee)\", \"old_value\": \"[Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japans, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee)\"}}}", "previous_version": "1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[Honeybee](https://attack.mitre.org/groups/G0072) is a campat1[Honeybee](https://attack.mitre.org/groups/G0072) is a campa
>ign led by an unknown actor that targets humanitarian aid or>ign led by an unknown actor that targets humanitarian aid or
>ganizations and has been active in Vietnam, Singapore, Argen>ganizations and has been active in Vietnam, Singapore, Argen
>tina, Japans, Indonesia, and Canada. It has been an active o>tina, Japan, Indonesia, and Canada. It has been an active op
>peration since August of 2017 and as recently as February 20>eration since August of 2017 and as recently as February 201
>18. (Citation: McAfee Honeybee)>8. (Citation: McAfee Honeybee)
" } ], "revocations": [], "deprecations": [], "deletions": [] }, "campaigns": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "mitigations": { "additions": [ { "type": "course-of-action", "id": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-19 14:57:58.771000+00:00", "modified": "2020-10-20 19:52:32.439000+00:00", "name": "Pre-compromise", "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1056", "external_id": "M1056" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.0" } ], "major_version_changes": [], "minor_version_changes": [ { "type": "course-of-action", "id": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-06-06 16:50:04.963000+00:00", "modified": "2020-10-21 19:08:13.228000+00:00", "name": "User Training", "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1017", "external_id": "M1017" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_version": "1.2", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-21 19:08:13.228000+00:00\", \"old_value\": \"2020-03-31 13:11:34.857000+00:00\"}, \"root['description']\": {\"new_value\": \"Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.\", \"old_value\": \"Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Train users to to be aware of access or manipulation attemptt1Train users to be aware of access or manipulation attempts b
>s by an adversary to reduce the risk of successful spearphis>y an adversary to reduce the risk of successful spearphishin
>hing, social engineering, and other techniques that involve >g, social engineering, and other techniques that involve use
>user interaction.>r interaction.
" } ], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "datasources": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "datacomponents": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] } }, "mobile-attack": { "techniques": { "additions": [ { "type": "attack-pattern", "id": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11 15:04:14.532000+00:00", "modified": "2020-10-01 12:43:41.494000+00:00", "name": "Geofencing", "description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \u201cAllow only while using the app\u201d, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1581", "external_id": "T1581" }, { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" }, { "source_name": "Android Geofencing API", "description": "Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020.", "url": "https://developer.android.com/training/location/geofencing" }, { "source_name": "Apple Location Services", "description": "Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020.", "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "id": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11 15:14:33.730000+00:00", "modified": "2020-10-22 17:04:15.578000+00:00", "name": "SMS Control", "description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "revoked": false, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1582", "external_id": "T1582" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html", "external_id": "APP-16" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html", "external_id": "CEL-41" }, { "source_name": "SMS KitKat", "description": "S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.", "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html" }, { "source_name": "Android SmsProvider", "description": "Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020.", "url": "https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.java" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Users can view the default SMS handler in system settings.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_version": "1.0" } ], "major_version_changes": [ { "type": "attack-pattern", "id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-10-25 14:48:32.008000+00:00", "modified": "2020-10-01 12:42:21.628000+00:00", "name": "URI Hijacking", "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1416", "external_id": "T1416" }, { "source_name": "Trend Micro iOS URL Hijacking", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/" }, { "source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Leo Zhang, Trend Micro", "Steven Du, Trend Micro" ], "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.", "x_mitre_is_subtechnique": false, "x_mitre_old_attack_id": "MOB-T1019", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_version": "2.0", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Leo Zhang, Trend Micro\", \"Steven Du, Trend Micro\"], \"root['x_mitre_detection']\": \"On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.\", \"root['x_mitre_is_subtechnique']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-01 12:42:21.628000+00:00\", \"old_value\": \"2019-02-03 17:05:31.465000+00:00\"}, \"root['name']\": {\"new_value\": \"URI Hijacking\", \"old_value\": \"Android Intent Hijacking\"}, \"root['description']\": {\"new_value\": \"Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\\n\\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)\", \"old_value\": \"A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes(Citation: IETF-PKCE).\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes(Citation: IETF-PKCE).\\n+Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\\n+\\n+Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"Trend Micro iOS URL Hijacking\", \"old_value\": \"IETF-PKCE\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.\", \"old_value\": \"N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/\", \"old_value\": \"https://tools.ietf.org/html/rfc7636\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"IETF-PKCE\", \"description\": \"N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.\", \"url\": \"https://tools.ietf.org/html/rfc7636\"}, \"root['x_mitre_platforms'][1]\": \"iOS\"}}", "previous_version": "1.1", "version_change": "1.1 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1A malicious app can register to receive intents meant for ott1Adversaries may register Uniform Resource Identifiers (URIs)
>her applications and may then be able to receive sensitive v> to intercept sensitive data.  Applications regularly regist
>alues such as OAuth authorization codes(Citation: IETF-PKCE)>er URIs with the operating system to act as a response handl
>.>er for various actions, such as logging into an app using an
 > external account via single sign-on. This allows redirectio
 >ns to that specific URI to be intercepted by the application
 >. If a malicious application were to register for a URI that
 > was already in use by a genuine application, the malicious 
 >application may be able to intercept data intended for the g
 >enuine application or perform a phishing attack against the 
 >genuine application. Intercepted data may include OAuth auth
 >orization codes or tokens that could be used by the maliciou
 >s application to gain access to resources.(Citation: Trend M
 >icro iOS URL Hijacking)(Citation: IETF-PKCE)
", "changelog_mitigations": { "shared": [ "M1005: Application Vetting" ], "new": [ "M1006: Use Recent OS Version", "M1013: Application Developer Guidance" ], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } } ], "minor_version_changes": [ { "type": "attack-pattern", "id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-10-25 14:48:31.694000+00:00", "modified": "2020-10-01 12:52:58.150000+00:00", "name": "Delete Device Data", "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "revoked": false, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1447", "external_id": "T1447" }, { "source_name": "Android DevicePolicyManager 2019", "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.", "x_mitre_is_subtechnique": false, "x_mitre_old_attack_id": "MOB-T1050", "x_mitre_platforms": [ "Android" ], "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_version": "2.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_detection']\": \"Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.\", \"root['x_mitre_is_subtechnique']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-01 12:52:58.150000+00:00\", \"old_value\": \"2019-09-25 16:58:12.859000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\\n\\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.\", \"old_value\": \"An adversary could wipe the entire device contents or delete specific files. A malicious application could obtain and abuse Android device administrator access to wipe the entire device.(Citation: Android DevicePolicyManager 2019) Access to external storage directories or escalated privileges could be used to delete individual files.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-An adversary could wipe the entire device contents or delete specific files. A malicious application could obtain and abuse Android device administrator access to wipe the entire device.(Citation: Android DevicePolicyManager 2019) Access to external storage directories or escalated privileges could be used to delete individual files.\\n+Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\\n+\\n+Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-mobile-attack\", \"phase_name\": \"defense-evasion\"}}}", "previous_version": "2.0", "version_change": "2.0 \u2192 2.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1An adversary could wipe the entire device contents or deletet1Adversaries may wipe a device or delete individual files in 
> specific files. A malicious application could obtain and ab>order to manipulate external outcomes or hide activity. An a
>use Android device administrator access to wipe the entire d>pplication must have administrator access to fully wipe the 
>evice.(Citation: Android DevicePolicyManager 2019) Access to>device, while individual files may not require special permi
> external storage directories or escalated privileges could >ssions to delete depending on their storage location. (Citat
>be used to delete individual files.>ion: Android DevicePolicyManager 2019)  Stored data could in
 >clude a variety of file formats, such as Office files, datab
 >ases, stored emails, and custom file formats. The impact fil
 >e deletion will have depends on the type of data as well as 
 >the goals and objectives of the adversary, but can include d
 >eleting update files to evade detection or deleting attacker
 >-specified files for impact.
", "changelog_mitigations": { "shared": [ "M1007: Caution with Device Administrator Access" ], "new": [ "M1005: Application Vetting", "M1011: User Guidance" ], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17 00:14:20.652000+00:00", "modified": "2020-10-19 18:06:09.010000+00:00", "name": "Supply Chain Compromise", "description": "As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\n\nThird-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, security issues have previously been identified in third-party advertising libraries incorporated into apps.(Citation: NowSecure-RemoteCode)(Citation: Grace-Advertisement).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1474", "external_id": "T1474" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", "external_id": "APP-6" }, { "source_name": "NowSecure-RemoteCode", "description": "Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved December 22, 2016.", "url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/" }, { "source_name": "Grace-Advertisement", "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.", "url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "* Insecure third-party libraries could be detected by application vetting techniques. For example, Google's [App Security Improvement Program](https://developer.android.com/google/play/asi) detects the use of third-party libraries with known vulnerabilities within Android apps submitted to the Google Play Store.\n* Malicious software development tools could be detected by enterprises deploying integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.", "x_mitre_is_subtechnique": false, "x_mitre_old_attack_id": "MOB-T1077", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_is_subtechnique']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-19 18:06:09.010000+00:00\", \"old_value\": \"2018-10-17 00:14:20.652000+00:00\"}, \"root['description']\": {\"new_value\": \"As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\\n\\nThird-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, security issues have previously been identified in third-party advertising libraries incorporated into apps.(Citation: NowSecure-RemoteCode)(Citation: Grace-Advertisement).\", \"old_value\": \"As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\\n\\nRelated PRE-ATT&CK techniques include:\\n\\n* [Identify vulnerabilities in third-party software libraries](https://attack.mitre.org/techniques/T1389) - Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\\n* [Distribute malicious software development tools](https://attack.mitre.org/techniques/T1394) - As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,3 @@\\n As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\\n \\n-Related PRE-ATT&CK techniques include:\\n-\\n-* [Identify vulnerabilities in third-party software libraries](https://attack.mitre.org/techniques/T1389) - Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\\n-* [Distribute malicious software development tools](https://attack.mitre.org/techniques/T1394) - As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.\\n+Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, security issues have previously been identified in third-party advertising libraries incorporated into apps.(Citation: NowSecure-RemoteCode)(Citation: Grace-Advertisement).\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_removed\": {\"root['external_references'][4]\": {\"source_name\": \"PaloAlto-XcodeGhost1\", \"description\": \"Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.\", \"url\": \"http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1As further described in [Supply Chain Compromise](https://att1As further described in [Supply Chain Compromise](https://at
>tack.mitre.org/techniques/T1195), supply chain compromise is>tack.mitre.org/techniques/T1195), supply chain compromise is
> the manipulation of products or product delivery mechanisms> the manipulation of products or product delivery mechanisms
> prior to receipt by a final consumer for the purpose of dat> prior to receipt by a final consumer for the purpose of dat
>a or system compromise. Somewhat related, adversaries could >a or system compromise. Somewhat related, adversaries could 
>also identify and exploit inadvertently present vulnerabilit>also identify and exploit inadvertently present vulnerabilit
>ies. In many cases, it may be difficult to be certain whethe>ies. In many cases, it may be difficult to be certain whethe
>r exploitable functionality is due to malicious intent or si>r exploitable functionality is due to malicious intent or si
>mply inadvertent mistake.  Related PRE-ATT&CK techniques inc>mply inadvertent mistake.  Third-party libraries incorporate
>lude:  * [Identify vulnerabilities in third-party software l>d into mobile apps could contain malicious behavior, privacy
>ibraries](https://attack.mitre.org/techniques/T1389) - Third>-invasive behavior, or exploitable vulnerabilities. An adver
>-party libraries incorporated into mobile apps could contain>sary could deliberately insert malicious behavior or could e
> malicious behavior, privacy-invasive behavior, or exploitab>xploit inadvertent vulnerabilities. For example, security is
>le vulnerabilities. An adversary could deliberately insert m>sues have previously been identified in third-party advertis
>alicious behavior or could exploit inadvertent vulnerabiliti>ing libraries incorporated into apps.(Citation: NowSecure-Re
>es. For example, Ryan Welton of NowSecure identified exploit>moteCode)(Citation: Grace-Advertisement).
>able remote code execution vulnerabilities in a third-party  
>advertisement library (Citation: NowSecure-RemoteCode). Grac 
>e et al. identified security issues in mobile advertisement  
>libraries (Citation: Grace-Advertisement). * [Distribute mal 
>icious software development tools](https://attack.mitre.org/ 
>techniques/T1394) - As demonstrated by the XcodeGhost attack 
> (Citation: PaloAlto-XcodeGhost1), app developers could be p 
>rovided with modified versions of software development tools 
> (e.g. compilers) that automatically inject malicious or exp 
>loitable code into applications. 
", "changelog_mitigations": { "shared": [], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } } ], "other_version_changes": [], "patches": [], "revocations": [ { "type": "attack-pattern", "id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", "created": "2017-10-25 14:48:17.533000+00:00", "modified": "2020-10-23 15:05:40.674000+00:00", "name": "URL Scheme Hijacking", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1415", "external_id": "T1415" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html", "external_id": "AUT-10" }, { "source_name": "FireEye-Masque2", "description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html" }, { "source_name": "Dhanjani-URLScheme", "description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.", "url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html" }, { "source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636" }, { "source_name": "MobileIron-XARA", "description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.", "url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures" } ], "x_mitre_old_attack_id": "MOB-T1018", "detailed_diff": "{\"dictionary_item_removed\": {\"root['created_by_ref']\": \"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5\", \"root['description']\": \"An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).\", \"root['kill_chain_phases']\": [{\"kill_chain_name\": \"mitre-mobile-attack\", \"phase_name\": \"credential-access\"}], \"root['object_marking_refs']\": [\"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168\"], \"root['x_mitre_platforms']\": [\"iOS\"], \"root['x_mitre_tactic_type']\": [\"Post-Adversary Device Access\"], \"root['x_mitre_version']\": \"1.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-23 15:05:40.674000+00:00\", \"old_value\": \"2019-02-03 17:03:45.255000+00:00\"}, \"root['revoked']\": {\"new_value\": true, \"old_value\": false}}}", "revoked_by": { "type": "attack-pattern", "id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-10-25 14:48:32.008000+00:00", "modified": "2020-10-01 12:42:21.628000+00:00", "name": "URI Hijacking", "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "revoked": false, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1416", "external_id": "T1416" }, { "source_name": "Trend Micro iOS URL Hijacking", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/" }, { "source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Leo Zhang, Trend Micro", "Steven Du, Trend Micro" ], "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.", "x_mitre_is_subtechnique": false, "x_mitre_old_attack_id": "MOB-T1019", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_version": "2.0", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Leo Zhang, Trend Micro\", \"Steven Du, Trend Micro\"], \"root['x_mitre_detection']\": \"On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.\", \"root['x_mitre_is_subtechnique']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-01 12:42:21.628000+00:00\", \"old_value\": \"2019-02-03 17:05:31.465000+00:00\"}, \"root['name']\": {\"new_value\": \"URI Hijacking\", \"old_value\": \"Android Intent Hijacking\"}, \"root['description']\": {\"new_value\": \"Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\\n\\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)\", \"old_value\": \"A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes(Citation: IETF-PKCE).\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes(Citation: IETF-PKCE).\\n+Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\\n+\\n+Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"Trend Micro iOS URL Hijacking\", \"old_value\": \"IETF-PKCE\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.\", \"old_value\": \"N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/\", \"old_value\": \"https://tools.ietf.org/html/rfc7636\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"IETF-PKCE\", \"description\": \"N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.\", \"url\": \"https://tools.ietf.org/html/rfc7636\"}, \"root['x_mitre_platforms'][1]\": \"iOS\"}}", "previous_version": "1.1", "version_change": "1.1 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1A malicious app can register to receive intents meant for ott1Adversaries may register Uniform Resource Identifiers (URIs)
>her applications and may then be able to receive sensitive v> to intercept sensitive data.  Applications regularly regist
>alues such as OAuth authorization codes(Citation: IETF-PKCE)>er URIs with the operating system to act as a response handl
>.>er for various actions, such as logging into an app using an
 > external account via single sign-on. This allows redirectio
 >ns to that specific URI to be intercepted by the application
 >. If a malicious application were to register for a URI that
 > was already in use by a genuine application, the malicious 
 >application may be able to intercept data intended for the g
 >enuine application or perform a phishing attack against the 
 >genuine application. Intercepted data may include OAuth auth
 >orization codes or tokens that could be used by the maliciou
 >s application to gain access to resources.(Citation: Trend M
 >icro iOS URL Hijacking)(Citation: IETF-PKCE)
", "changelog_mitigations": { "shared": [ "M1005: Application Vetting" ], "new": [ "M1006: Use Recent OS Version", "M1013: Application Developer Guidance" ], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } } } ], "deprecations": [], "deletions": [] }, "software": { "additions": [ { "type": "malware", "id": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11 14:54:16.188000+00:00", "modified": "2020-09-11 16:23:16.039000+00:00", "name": "Desert Scorpion", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion) ", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0505", "external_id": "S0505" }, { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Desert Scorpion" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-15 15:18:11.971000+00:00", "modified": "2020-10-06 20:09:57.659000+00:00", "name": "FakeSpy", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0509", "external_id": "S0509" }, { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "FakeSpy" ], "x_mitre_contributors": [ "Ofir Almkias, Cybereason" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-15 20:20:58.846000+00:00", "modified": "2020-09-11 15:52:12.097000+00:00", "name": "Mandrake", "description": "[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0485", "external_id": "S0485" }, { "source_name": "oxide", "description": "(Citation: Bitdefender Mandrake)" }, { "source_name": "briar", "description": "(Citation: Bitdefender Mandrake)" }, { "source_name": "ricinus", "description": "(Citation: Bitdefender Mandrake)" }, { "source_name": "darkmatter", "description": "(Citation: Bitdefender Mandrake)" }, { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Mandrake", "oxide", "briar", "ricinus", "darkmatter" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-10-25 14:48:42.313000+00:00", "modified": "2020-09-30 13:19:59.692000+00:00", "name": "Twitoor", "description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/software/S0302", "external_id": "S0302" }, { "source_name": "Twitoor", "description": "(Citation: ESET-Twitoor)" }, { "source_name": "ESET-Twitoor", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Twitoor" ], "x_mitre_old_attack_id": "MOB-S0018", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "2.0" }, { "type": "malware", "id": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-11 16:22:02.954000+00:00", "modified": "2020-09-29 20:03:42.662000+00:00", "name": "ViperRAT", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0506", "external_id": "S0506" }, { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "ViperRAT" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-20 13:27:33.113000+00:00", "modified": "2020-09-11 15:58:40.564000+00:00", "name": "WolfRAT", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0489", "external_id": "S0489" }, { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "WolfRAT" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-20 13:58:53.422000+00:00", "modified": "2020-10-16 01:48:10.412000+00:00", "name": "XLoader for iOS", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0490", "external_id": "S0490" }, { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "XLoader for iOS" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-07-27 14:14:56.729000+00:00", "modified": "2020-08-11 14:23:15.002000+00:00", "name": "Zen", "description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0494", "external_id": "S0494" }, { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Zen" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.0" }, { "type": "malware", "id": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-14 14:13:45.032000+00:00", "modified": "2020-09-14 15:39:17.698000+00:00", "name": "eSurv", "description": "[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0507", "external_id": "S0507" }, { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "eSurv" ], "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.0" } ], "major_version_changes": [ { "type": "malware", "id": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-10-25 14:48:37.438000+00:00", "modified": "2020-09-29 13:24:14.934000+00:00", "name": "Dendroid", "description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/software/S0301", "external_id": "S0301" }, { "source_name": "Dendroid", "description": "(Citation: Lookout-Dendroid)" }, { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Dendroid" ], "x_mitre_old_attack_id": "MOB-S0017", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "2.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-29 13:24:14.934000+00:00\", \"old_value\": \"2019-10-15 20:02:59.942000+00:00\"}, \"root['description']\": {\"new_value\": \"[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)\", \"old_value\": \"[Dendroid](https://attack.mitre.org/software/S0301) is an Android malware family. (Citation: Lookout-Dendroid)\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}}", "previous_version": "1.2", "version_change": "1.2 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[Dendroid](https://attack.mitre.org/software/S0301) is an Ant1[Dendroid](https://attack.mitre.org/software/S0301) is an An
>droid malware family. (Citation: Lookout-Dendroid)>droid remote access tool (RAT) primarily targeting Western c
 >ountries. The RAT was available for purchase for $300 and ca
 >me bundled with a utility to inject the RAT into legitimate 
 >applications.(Citation: Lookout-Dendroid)
" }, { "type": "malware", "id": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17 00:14:20.652000+00:00", "modified": "2020-10-16 01:46:53.625000+00:00", "name": "XLoader for Android", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/software/S0318", "external_id": "S0318" }, { "source_name": "XLoader for Android", "description": "(Citation: TrendMicro-XLoader)" }, { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" }, { "source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "XLoader for Android" ], "x_mitre_old_attack_id": "MOB-S0034", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "2.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-16 01:46:53.625000+00:00\", \"old_value\": \"2018-12-11 20:40:31.461000+00:00\"}, \"root['name']\": {\"new_value\": \"XLoader for Android\", \"old_value\": \"XLoader\"}, \"root['description']\": {\"new_value\": \"[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).\", \"old_value\": \"[XLoader](https://attack.mitre.org/software/S0318) is a malicious Android app that was observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. (Citation: TrendMicro-XLoader)\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"XLoader for Android\", \"old_value\": \"XLoader\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"TrendMicro-XLoader-FakeSpy\", \"old_value\": \"TrendMicro-XLoader\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.\", \"old_value\": \"Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/\", \"old_value\": \"https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/\"}, \"root['x_mitre_aliases'][0]\": {\"new_value\": \"XLoader for Android\", \"old_value\": \"XLoader\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"TrendMicro-XLoader\", \"description\": \"Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.\", \"url\": \"https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 2.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[XLoader](https://attack.mitre.org/software/S0318) is a malit1[XLoader for Android](https://attack.mitre.org/software/S031
>cious Android app that was observed targeting Japan, Korea, >8) is a malicious Android app first observed targeting Japan
>China, Taiwan, and Hong Kong in 2018. (Citation: TrendMicro->, Korea, China, Taiwan, and Hong Kong in 2018. It has more r
>XLoader)>ecently been observed targeting South Korean users as a porn
 >ography application.(Citation: TrendMicro-XLoader-FakeSpy)(C
 >itation: TrendMicro-XLoader) It is tracked separately from t
 >he [XLoader for iOS](https://attack.mitre.org/software/S0490
 >).
" } ], "minor_version_changes": [ { "type": "malware", "id": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-04-08 15:41:19.114000+00:00", "modified": "2020-09-11 15:42:15.261000+00:00", "name": "Anubis", "description": "[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0422", "external_id": "S0422" }, { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Anubis" ], "x_mitre_contributors": [ "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-11 15:42:15.261000+00:00\", \"old_value\": \"2020-06-17 12:55:02.773000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1" }, { "type": "malware", "id": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-04 14:04:55.823000+00:00", "modified": "2020-10-14 14:42:53.609000+00:00", "name": "Bread", "description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store\u2019s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0432", "external_id": "S0432" }, { "source_name": "Joker", "description": "(Citation: Google Bread)" }, { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Bread", "Joker" ], "x_mitre_contributors": [ "Sergey Persikov, Check Point", "Jonathan Shimonovich, Check Point", "Aviran Hazum, Check Point" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Sergey Persikov, Check Point\", \"Jonathan Shimonovich, Check Point\", \"Aviran Hazum, Check Point\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-14 14:42:53.609000+00:00\", \"old_value\": \"2020-05-07 15:11:36.361000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1" }, { "type": "malware", "id": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-06-26 15:32:24.569000+00:00", "modified": "2020-09-11 15:43:49.079000+00:00", "name": "Cerberus", "description": "[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0480", "external_id": "S0480" }, { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Cerberus" ], "x_mitre_contributors": [ "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-11 15:43:49.079000+00:00\", \"old_value\": \"2020-06-30 02:12:46.324000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1" }, { "type": "malware", "id": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-04-24 15:06:32.870000+00:00", "modified": "2020-09-11 15:45:38.235000+00:00", "name": "Corona Updates", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0425", "external_id": "S0425" }, { "source_name": "Wabi Music", "description": "(Citation: TrendMicro Coronavirus Updates)" }, { "source_name": "Concipit1248", "description": "(Citation: TrendMicro Coronavirus Updates)" }, { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Corona Updates", "Wabi Music", "Concipit1248" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-11 15:45:38.235000+00:00\", \"old_value\": \"2020-04-30 18:25:32.550000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1" }, { "type": "malware", "id": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-04-08 15:51:24.862000+00:00", "modified": "2020-09-11 15:50:18.707000+00:00", "name": "Ginp", "description": "[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0423", "external_id": "S0423" }, { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Ginp" ], "x_mitre_contributors": [ "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-11 15:50:18.707000+00:00\", \"old_value\": \"2020-05-11 16:37:36.407000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1" }, { "type": "malware", "id": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2019-09-23 13:36:07.816000+00:00", "modified": "2020-09-11 15:53:38.216000+00:00", "name": "Rotexy", "description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0411", "external_id": "S0411" }, { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Rotexy" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-11 15:53:38.216000+00:00\", \"old_value\": \"2019-10-15 19:56:50.492000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1" }, { "type": "malware", "id": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2018-10-17 00:14:20.652000+00:00", "modified": "2020-09-11 15:55:43.283000+00:00", "name": "Stealth Mango", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/software/S0328", "external_id": "S0328" }, { "source_name": "Stealth Mango", "description": "(Citation: Lookout-StealthMango)" }, { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Stealth Mango" ], "x_mitre_old_attack_id": "MOB-S0044", "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.3", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-11 15:55:43.283000+00:00\", \"old_value\": \"2019-10-15 19:44:35.901000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}", "previous_version": "1.2", "version_change": "1.2 \u2192 1.3" }, { "type": "malware", "id": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-04-24 17:46:31.111000+00:00", "modified": "2020-09-11 15:57:37.561000+00:00", "name": "TrickMo", "description": "[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0427", "external_id": "S0427" }, { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "TrickMo" ], "x_mitre_contributors": [ "Ohad Mana, Check Point", "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-09-11 15:57:37.561000+00:00\", \"old_value\": \"2020-05-11 16:25:37.381000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}", "previous_version": "1.0", "version_change": "1.0 \u2192 1.1" } ], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "groups": { "additions": [], "major_version_changes": [ { "type": "intrusion-set", "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-05-31 21:31:48.664000+00:00", "modified": "2020-10-06 23:32:21.793000+00:00", "name": "APT28", "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ", "aliases": [ "APT28", "SNAKEMACKEREL", "Swallowtail", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0007", "external_id": "G0007" }, { "source_name": "APT28", "description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)" }, { "source_name": "SNAKEMACKEREL", "description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)" }, { "source_name": "Swallowtail", "description": "(Citation: Symantec APT28 Oct 2018)" }, { "source_name": "Group 74", "description": "(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "Sednit", "description": "This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT. (Citation: FireEye APT28 January 2017) (Citation: SecureWorks TG-4127) (Citation: Kaspersky Sofacy) (Citation: Ars Technica GRU indictment Jul 2018)" }, { "source_name": "Sofacy", "description": "This designation has been used in reporting both to refer to the threat group and its associated malware. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "Pawn Storm", "description": "(Citation: SecureWorks TG-4127) (Citation: ESET Sednit Part 3)" }, { "source_name": "Fancy Bear", "description": "(Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)" }, { "source_name": "STRONTIUM", "description": "(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) (Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)" }, { "source_name": "Tsar Team", "description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "Threat Group-4127", "description": "(Citation: SecureWorks TG-4127)" }, { "source_name": "TG-4127", "description": "(Citation: SecureWorks TG-4127)" }, { "source_name": "NSA/FBI Drovorub August 2020", "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.", "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" }, { "source_name": "DOJ GRU Indictment Jul 2018", "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.", "url": "https://www.justice.gov/file/1080281/download" }, { "source_name": "Ars Technica GRU indictment Jul 2018", "description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.", "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" }, { "source_name": "Crowdstrike DNC June 2016", "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" }, { "source_name": "FireEye APT28", "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" }, { "source_name": "SecureWorks TG-4127", "description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.", "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" }, { "source_name": "FireEye APT28 January 2017", "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" }, { "source_name": "GRIZZLY STEPPE JAR", "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.", "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" }, { "source_name": "Sofacy DealersChoice", "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" }, { "source_name": "Palo Alto Sofacy 06-2018", "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" }, { "source_name": "Symantec APT28 Oct 2018", "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.", "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" }, { "source_name": "ESET Zebrocy May 2019", "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.", "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" }, { "source_name": "US District Court Indictment GRU Oct 2018", "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", "url": "https://www.justice.gov/opa/page/file/1098481/download" }, { "source_name": "Kaspersky Sofacy", "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" }, { "source_name": "ESET Sednit Part 3", "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" }, { "source_name": "Talos Seduploader Oct 2017", "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.", "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" }, { "source_name": "Securelist Sofacy Feb 2018", "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.", "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" }, { "source_name": "Accenture SNAKEMACKEREL Nov 2018", "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.", "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" }, { "source_name": "Microsoft STRONTIUM Aug 2019", "description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.", "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" }, { "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.", "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "S\u00e9bastien Ruel, CGI", "Drew Church, Splunk", "Emily Ratliff, IBM", "Richard Gold, Digital Shadows" ], "x_mitre_version": "3.0", "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-10-06 23:32:21.793000+00:00\", \"old_value\": \"2020-03-30 15:28:00.965000+00:00\"}, \"root['description']\": {\"new_value\": \"[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\\n\\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). \", \"old_value\": \"[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\\n+[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\\n+\\n+[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). \"}, \"root['external_references'][9]['description']\": {\"new_value\": \"(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) (Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)\", \"old_value\": \"(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019)\"}, \"root['external_references'][13]['source_name']\": {\"new_value\": \"NSA/FBI Drovorub August 2020\", \"old_value\": \"DOJ GRU Indictment Jul 2018\"}, \"root['external_references'][13]['description']\": {\"new_value\": \"NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.\", \"old_value\": \"Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.\"}, \"root['external_references'][13]['url']\": {\"new_value\": \"https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF\", \"old_value\": \"https://www.justice.gov/file/1080281/download\"}, \"root['external_references'][14]['source_name']\": {\"new_value\": \"DOJ GRU Indictment Jul 2018\", \"old_value\": \"Ars Technica GRU indictment Jul 2018\"}, \"root['external_references'][14]['description']\": {\"new_value\": \"Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.\", \"old_value\": \"Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.\"}, \"root['external_references'][14]['url']\": {\"new_value\": \"https://www.justice.gov/file/1080281/download\", \"old_value\": \"https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\"}, \"root['external_references'][15]['source_name']\": {\"new_value\": \"Ars Technica GRU indictment Jul 2018\", \"old_value\": \"Crowdstrike DNC June 2016\"}, \"root['external_references'][15]['description']\": {\"new_value\": \"Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.\", \"old_value\": \"Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.\"}, \"root['external_references'][15]['url']\": {\"new_value\": \"https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\", \"old_value\": \"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\"}, \"root['external_references'][16]['source_name']\": {\"new_value\": \"Crowdstrike DNC June 2016\", \"old_value\": \"FireEye APT28\"}, \"root['external_references'][16]['description']\": {\"new_value\": \"Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.\", \"old_value\": \"FireEye. (2015). APT28: A WINDOW INTO RUSSIA\\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.\"}, \"root['external_references'][16]['url']\": {\"new_value\": \"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\", \"old_value\": \"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf\"}, \"root['external_references'][17]['source_name']\": {\"new_value\": \"FireEye APT28\", \"old_value\": \"SecureWorks TG-4127\"}, \"root['external_references'][17]['description']\": {\"new_value\": \"FireEye. (2015). APT28: A WINDOW INTO RUSSIA\\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.\", \"old_value\": \"SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.\"}, \"root['external_references'][17]['url']\": {\"new_value\": \"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf\", \"old_value\": \"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign\"}, \"root['external_references'][18]['source_name']\": {\"new_value\": \"SecureWorks TG-4127\", \"old_value\": \"FireEye APT28 January 2017\"}, \"root['external_references'][18]['description']\": {\"new_value\": \"SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.\", \"old_value\": \"FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.\"}, \"root['external_references'][18]['url']\": {\"new_value\": \"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign\", \"old_value\": \"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf\"}, \"root['external_references'][19]['source_name']\": {\"new_value\": \"FireEye APT28 January 2017\", \"old_value\": \"GRIZZLY STEPPE JAR\"}, \"root['external_references'][19]['description']\": {\"new_value\": \"FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.\", \"old_value\": \"Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \\u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.\"}, \"root['external_references'][19]['url']\": {\"new_value\": \"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf\", \"old_value\": \"https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf\"}, \"root['external_references'][20]['source_name']\": {\"new_value\": \"GRIZZLY STEPPE JAR\", \"old_value\": \"Sofacy DealersChoice\"}, \"root['external_references'][20]['description']\": {\"new_value\": \"Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \\u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.\", \"old_value\": \"Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.\"}, \"root['external_references'][20]['url']\": {\"new_value\": \"https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf\", \"old_value\": \"https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/\"}, \"root['external_references'][21]['source_name']\": {\"new_value\": \"Sofacy DealersChoice\", \"old_value\": \"Palo Alto Sofacy 06-2018\"}, \"root['external_references'][21]['description']\": {\"new_value\": \"Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.\", \"old_value\": \"Lee, B., Falcone, R. (2018, June 06). Sofacy Group\\u2019s Parallel Attacks. Retrieved June 18, 2018.\"}, \"root['external_references'][21]['url']\": {\"new_value\": \"https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/\", \"old_value\": \"https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\"}, \"root['external_references'][22]['source_name']\": {\"new_value\": \"Palo Alto Sofacy 06-2018\", \"old_value\": \"Symantec APT28 Oct 2018\"}, \"root['external_references'][22]['description']\": {\"new_value\": \"Lee, B., Falcone, R. (2018, June 06). Sofacy Group\\u2019s Parallel Attacks. Retrieved June 18, 2018.\", \"old_value\": \"Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.\"}, \"root['external_references'][22]['url']\": {\"new_value\": \"https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\", \"old_value\": \"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government\"}, \"root['external_references'][23]['source_name']\": {\"new_value\": \"Symantec APT28 Oct 2018\", \"old_value\": \"ESET Zebrocy May 2019\"}, \"root['external_references'][23]['description']\": {\"new_value\": \"Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.\", \"old_value\": \"ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.\"}, \"root['external_references'][23]['url']\": {\"new_value\": \"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government\", \"old_value\": \"https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/\"}, \"root['external_references'][24]['source_name']\": {\"new_value\": \"ESET Zebrocy May 2019\", \"old_value\": \"Kaspersky Sofacy\"}, \"root['external_references'][24]['description']\": {\"new_value\": \"ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.\", \"old_value\": \"Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.\"}, \"root['external_references'][24]['url']\": {\"new_value\": \"https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/\", \"old_value\": \"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/\"}, \"root['external_references'][25]['source_name']\": {\"new_value\": \"US District Court Indictment GRU Oct 2018\", \"old_value\": \"ESET Sednit Part 3\"}, \"root['external_references'][25]['description']\": {\"new_value\": \"Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.\", \"old_value\": \"ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.\"}, \"root['external_references'][25]['url']\": {\"new_value\": \"https://www.justice.gov/opa/page/file/1098481/download\", \"old_value\": \"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf\"}, \"root['external_references'][26]['source_name']\": {\"new_value\": \"Kaspersky Sofacy\", \"old_value\": \"Talos Seduploader Oct 2017\"}, \"root['external_references'][26]['description']\": {\"new_value\": \"Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.\", \"old_value\": \"Mercer, W., et al. (2017, October 22). \\\"Cyber Conflict\\\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.\"}, \"root['external_references'][26]['url']\": {\"new_value\": \"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/\", \"old_value\": \"https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\"}, \"root['external_references'][27]['source_name']\": {\"new_value\": \"ESET Sednit Part 3\", \"old_value\": \"Securelist Sofacy Feb 2018\"}, \"root['external_references'][27]['description']\": {\"new_value\": \"ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.\", \"old_value\": \"Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.\"}, \"root['external_references'][27]['url']\": {\"new_value\": \"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf\", \"old_value\": \"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/\"}, \"root['external_references'][28]['source_name']\": {\"new_value\": \"Talos Seduploader Oct 2017\", \"old_value\": \"Accenture SNAKEMACKEREL Nov 2018\"}, \"root['external_references'][28]['description']\": {\"new_value\": \"Mercer, W., et al. (2017, October 22). \\\"Cyber Conflict\\\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.\", \"old_value\": \"Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.\"}, \"root['external_references'][28]['url']\": {\"new_value\": \"https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\", \"old_value\": \"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50\"}, \"root['external_references'][29]['source_name']\": {\"new_value\": \"Securelist Sofacy Feb 2018\", \"old_value\": \"Microsoft STRONTIUM Aug 2019\"}, \"root['external_references'][29]['description']\": {\"new_value\": \"Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.\", \"old_value\": \"MSRC Team. (2019, August 5). Corporate IoT \\u2013 a path to intrusion. Retrieved August 16, 2019.\"}, \"root['external_references'][29]['url']\": {\"new_value\": \"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/\", \"old_value\": \"https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.3\"}}, \"iterable_item_added\": {\"root['external_references'][30]\": {\"source_name\": \"Accenture SNAKEMACKEREL Nov 2018\", \"description\": \"Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.\", \"url\": \"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50\"}, \"root['external_references'][31]\": {\"source_name\": \"Microsoft STRONTIUM Aug 2019\", \"description\": \"MSRC Team. (2019, August 5). Corporate IoT \\u2013 a path to intrusion. Retrieved August 16, 2019.\", \"url\": \"https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/\"}, \"root['external_references'][32]\": {\"source_name\": \"Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020\", \"description\": \"Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.\", \"url\": \"https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/\"}, \"root['x_mitre_contributors'][0]\": \"S\\u00e9bastien Ruel, CGI\"}}", "previous_version": "2.3", "version_change": "2.3 \u2192 3.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[APT28](https://attack.mitre.org/groups/G0007) is a threat gt1[APT28](https://attack.mitre.org/groups/G0007) is a threat g
>roup that has been attributed to Russia's Main Intelligence >roup that has been attributed to Russia's General Staff Main
>Directorate of the Russian General Staff by a July 2018 U.S.> Intelligence Directorate (GRU) 85th Main Special Service Ce
> Department of Justice indictment. This group reportedly com>nter (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub
>promised the Hillary Clinton campaign, the Democratic Nation> August 2020) This group has been active since at least 2004
>al Committee, and the Democratic Congressional Campaign Comm>.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Tech
>ittee in 2016 in an attempt to interfere with the U.S. presi>nica GRU indictment Jul 2018) (Citation: Crowdstrike DNC Jun
>dential election. [APT28](https://attack.mitre.org/groups/G0>e 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-
>007) has been active since at least 2004.(Citation: DOJ GRU >4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZ
>Indictment Jul 2018) (Citation: Ars Technica GRU indictment >ZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: 
>Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: F>Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018
>ireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Fir>) (Citation: ESET Zebrocy May 2019)  [APT28](https://attack.
>eEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Cit>mitre.org/groups/G0007) reportedly compromised the Hillary C
>ation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06->linton campaign, the Democratic National Committee, and the 
>2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Ze>Democratic Congressional Campaign Committee in 2016 in an at
>brocy May 2019)>tempt to interfere with the U.S. presidential election. (Cit
 >ation: Crowdstrike DNC June 2016) In 2018, the US indicted f
 >ive GRU Unit 26165 officers associated with [APT28](https://
 >attack.mitre.org/groups/G0007) for cyber operations (includi
 >ng close-access operations) conducted between 2014 and 2018 
 >against the World Anti-Doping Agency (WADA), the US Anti-Dop
 >ing Agency, a US nuclear facility, the Organization for the 
 >Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chem
 >icals Laboratory, and other organizations.(Citation: US Dist
 >rict Court Indictment GRU Oct 2018) Some of these were condu
 >cted with the assistance of GRU Unit 74455, which is also re
 >ferred to as [Sandworm Team](https://attack.mitre.org/groups
 >/G0034). 
" } ], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "campaigns": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "mitigations": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "datasources": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "datacomponents": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] } }, "new-contributors": [ "AttackIQ", "Aviran Hazum, Check Point", "Center for Threat-Informed Defense (CTID)", "Cybereason Nocturnus, @nocturnus", "Dan Nutting, @KerberToast", "Daniyal Naeem", "Deloitte Threat Library Team", "Doron Karmi, @DoronKarmi", "Edward Millington", "Emile Kenning, Sophos", "ESET", "Expel", "Ibrahim Ali Khan", "Jacques Pluviose, @Jacqueswildy_IT", "James Dunn, @jamdunnDFW, EY", "Janantha Marasinghe", "Jon Sternstein, Stern Security", "Jonathan Shimonovich, Check Point", "Josh Campbell, Cyborg Security, @cyb0rgsecur1ty", "Lee Christensen, SpecterOps", "Leo Zhang, Trend Micro", "Martin Smol\u00e1r, ESET", "Mathieu Tartare, ESET", "Matt Snyder, VMware", "Ofir Almkias, Cybereason", "Phil Stokes, SentinelOne", "Praetorian", "Rick Cole, FireEye", "Robert Simmons", "Rodrigo Garcia, Red Canary", "SarathKumar Rajendran, Trimble Inc", "Sebastian Salla, McAfee", "Sekhar Sarukkai; Prasad Somasamudram; Syed Ummar Farooqh (McAfee) ", "Sergey Persikov, Check Point", "Steven Du, Trend Micro", "Swapnil Kumbhar", "S\u00e9bastien Ruel, CGI", "Toby Kohlenberg", "Vikas Singh, Sophos", "Vinayak Wadhwa, Lucideus", "Wes Hurd" ] }